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ABSTRACT 



Model theoretic results such as Characterization and Definability give important information 
about different logics. It is well known that the proofs of those results for several modal logics 
have, somehow, the same 'taste'. A general proof for most modal logics below first order is still 
too ambitious. In this thesis we plan to isolate sufficient conditions for the characterization 
and definability theorems to hold in a wide range of logics. Along with these conditions we will 
prove that, whichever logic that meets them, satisfies both theorems. Therefore, one could 
give an unifying proof for logics with already known results. Moreover, one will be able to 
prove characterization and definability results for logics that have not yet been investigated. 
In both cases, it is only needed to check that a logic meets the requirements to automatically 
derive the desired results. 

Keywords: logic, modal, characterization, definability, saturation. 
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ABSTRACT EXTENDIDO 



Para una amplia variedad de aplicaciones que usan la logica como herramienta, la logica de 
primer orden es suficiente para resolver sus problemas de manera teorica. Sin embargo, cuando 
se considera el comportamiento prdctico de la lgica de primer orden uno se encuentra con 
varias complicaciones. Primero que nada, la logica de primer orden es indecidible. Esto quiere 
decir que no exist e un algoritmo general para decidir si una formula arbitraria es satisfacible. 
Segundo, en general la mayoria de las aplicaciones que usan esta logica no aprovechan al 
maximo su poder. Por lo tanto, incluso cuando se trabaja con fragmentos decidibles de primer 
orden, se puede estar pagando un precio excesivo por cualidades que no seran utilizadas. 

Las logicas modales proposicionales ofrecen una alternativa a los lenguajes tradicionales. 
Pueden ser pensadas como un conjunto de herramientas que permiten dise nar logicas es- 
pecfflcamente construidas para una tarea en particular, posibilitando un control fino en su 
expresividad. Mas aiin, las logicas modales resultaron tener un buen comportamiento com- 
putacional que probo ser bastante robusto frente a extensiones. Estas caracteristicas, entre 
otras, ubicaron a las logicas modales como una alternativa atractiva con respecto a los lengua- 
jes clasicos como por ejemplo la logica de primer orden. 

En esta tesis trabajaremos con logicas modales que son a lo sumo tan expresivas como 
la logica de primer orden. Informalmente, esto quiere decir que si uno puede expresar una 
propiedad con una formula de dicha logica modal entonces existe una manera de expresar la 
misma propiedad en primer orden. En otras palabras, uno puede decir que si una formula 
modal ip denota una propiedad dada entonces existe algun tipo de traduction cuyo resultado 
es una formula de primer orden ip l que denota la misma propiedad. 

En ciencias de la computation, una bisimulacion es, a grandes rasgos, una relation binaria 
entre modelos que asocia aquellos que se comportan de la misma manera. Asi, dos modelos 
son bisimilares cuando no pueden ser distinguidos mutuamente por un observador. La notion 
de bisimulacion es ampliamente empleada en varias areas como la logica modal, la teoria de 
concurrencia, la teoria de conjuntos, la verification formal, etc. 

La notion de bisimulacion fue descubierta de manera independiente y relativamente si- 
multanea por van Benthem, en el contexto de teoria de correspondencia modal; Milner y 
Park, en teoria de la concurrencia; y Forti y Honsell en teoria de conjuntos sin axioma de 
buena fundacion. Estos ultimos utilizan bisimulaciones para mostrar la equi Valencia de obje- 
tos con estructura infinita no-inductiva y garantizar asi extensionalidad de los modelos de su 
teoria [FH83]. Van Benthem [vB76] obtiene la idea de bisimulacion como una generalization 
del concept o de p-morflsmo entre modelos; con ella caracteriza a la logica modal basica como 
el fragmento de primer orden invariante bajo bisimulaciones (lo que se conoce como Teo- 
rema de Caracterizacion de van Benthem). Milner y Park fueron los que acunaron el termino 
bisimulacion, tecnica que utilizaron como herramienta para probar la equivalencia de procesos 
concurrentes [Mil80, Par81]. En [San09] se da un interesante panorama historico del area. 

La bisimulacion es una herramienta crucial en el proceso de estudiar estructuras rela- 
cionales y abre el camino para poder analizar formalmente caracterizaciones de la expresivi- 
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dad de los lenguajes modales. Intuitivamente, fijada una logica £, la nocion de bisimulacion 
define cuando dos modelos son indistinguibles para C (es decir, no exist e una formula de 
C que sea verdadera en un modelo y falsa en otro). Existe una gran variedad de areas en 
donde la bisimulacion juega ahora un rol central: logica modal [vB76], teoria de concurren- 
cia [Par81], teoria de conjuntos [FH83], verification formal [COP00], generation de lenguaje 
natural [AKS08], etc. 

El teorema de caracterizacion de van Benthem para la logica modal basica caracteriza 
el fragmento de primer orden invariante bajo la definition de bisimulacion. Informalmente, 
puede ser enunciado de la siguiente manera. 

Teorema. Una formula de primer orden a es equivalente a la traduction de una formula de 
la logica modal basica si y solo si a es invariante bajo bisimulaciones. 

Ahora bien, desde un punto de vista logico, no existe una unica nocion de bisimulacion. 
A cada lenguaje modal le corresponde una nocion de bisimulacion distinta (o, en el caso de 
logicas sub-booleanas, una simulation [KdR97, KdR99]). 

En general, cada combination de logica y bisimulacion tiene su demostracion de un teorema 
equivalente a la caracterizacion de van Benthem. Un problema esencial es que no parece haber 
una demostracion general y cada caso necesita una nueva prueba usando herramientas ad-hoc. 

El nacimiento del concepto de bisimulacion y la teoria de correspondencia ayudo a respon- 
der nuevas preguntas desde una perspectiva puramente de teoria de modelos. Un ejemplo 
es la caracterizacion de definibilidad en logica modal. Informalmente decimos que una clase 
de modelos es definible por un conjunto de formulas T si esta compuesta por exactamente 
todos los modelos donde T es valida. Una clase se dice definible por una formula modal si es 
definible por un conjunto singleton. 

Seria interesante saber que propiedades deberia cumplir una clase de modelos para ser 
definible ya ser por un conjunto de formulas o por unica una formula modal. Esta pregunta 
ya se ha enunciado y respondido para la logica de primer orden. Para ese caso, la respuesta 
esta formulada en terminos de isomorfismos potenciales. En cambio, en el caso de las logicas 
modales la nocion de bisimulacion juega un rol esencial. Para dar un ejemplo citamos el 
siguiente resultado para la logica modal basica [BdRVOl]. 

Teorema. Una clase de modelos K es definible por una formula modal si y solo si K y K 
estan cerrados por bisimulaciones y ultraproductos. 

Por el momento, no es necesario preocuparse por la definition formal de 'ultraproductos'. 
Solo es necesario saber que los ultraproductos son una construction de modelos (con origenes 
algebraicos) muy utiles. Inicialmente, dicha construction llamo la atencion a los logicos porque 
podia ser usada para dar una demostracion puramente algebraica del Teorema de Compacidad 
para primer orden. Para un desarrollo detallado sobre ultraproductos recomendamos la lectura 
de [Kei08]. 

Como con el teorema de caracterizacion, resultados de definibilidad similares al aqui pre- 
sentado valen para una amplia variedad de logicas modales. De la misma manera, cada logica 
tiene su propia demostracion especialmente disehada para ese caso en particular. 
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Claramente, result ados como los de Caracterizacion y Definibilidad nos sirven para enten- 
der mejor una logica. Es mas, estos resultados tambien tienen un gran impacto en aplicaciones 
practicas de Ciencias de la Computation. 

Consideremos el siguiente problema: Supongamos que estamos interesados en realizar 
model checking, esto quiere decir, dado el modelo de un sistema, verificar automaticamente si 
el modelo cumple una cierta especiflcacion. Supongamos tambien que la especiflcacion puede 
ser escrita como una formula de primer orden (p. 

Siempre podemos usar herramientas de primer orden para verificar si el modelo satisface ip 
pero eso puede resultar, como ya hemos mencionado, en un alto costo en cuanto a complejidad 
computational. Uno podria tratar de encontrar logicas mas 'baratas' que puedan resolver 
el problema. Si la misma propiedad pudiera ser expresada en una logica modal entonces 
probablemente podriamos mejorar la performance del proceso drasticamente. 

Discutamos un ejemplo concreto: Supongamos que los puntos del dominio de nuestro 
modelo son diferentes estados en la ejecucion de un programa. De esta manera, hay una 
transition desde un punto a otro si es posible ejecutar una transformation del programa que 
lo lleve del estado a al estado b. Pensando en el modelo de esta manera se puede ver que los 
estados sin sucesores representan estados donde el programa ha finalizado. 

Una propiedad deseable del modelo podria ser que "en cada estado del programa se debe 
poder 'escapar' del flujo de ejecucion". Esto quiere decir que todo punto debe poder ver 
directamente a un estado sin sucesores. Esta propiedad puede ser veriflcada probando que la 
formula de primer orden 

<f(x) = 3y.R(x,y) —> (3z.R(x,z) A Vw.-*R(z,w)) 

sea valida en el modelo pero tambien puede ser veriflcada probando que la formula de la logica 
modal basica i/j = OT OD_L sea valida en el modelo. Como estas dos formulas representan 
la misma propiedad (son equivalentes) podemos usar model checkers que acepten formulas de 
la logica modal basica como entrada para poder resolver nuestro problema. 

Aparte de ser mucho mas 'amigable', la simple existencia de la formula ifj nos dice que 
la propiedad en cuestion es invariante bajo bisimulaciones. Esta information nos brinda un 
beneflcio extra. Supongamos que el modelo es automaticamente generado a partir de una 
portion de codigo. Si, por ejemplo, alimentamos al generador con el codigo de un sistema 
operativo entero, el modelo resultante sera muy grande. 

No es el objetivo de esta tesis meterse en estos temas pero existen algoritmos eflcientes para 
minimizar el modelo automaticamente. Estos algoritmos preservan la verdad de las formulas 
invariantes por bisimulacion [Hop71, Gri73]. Por lo tanto, al tener una formula modal que 
representa nuestra propiedad, uno podria primero minimizar el modelo y hacer model checking 
sobre el modelo resultante que sera, muy probablemente, mucho mas chico que el original. 

Por otra parte, supongamos que se quiere verificar si el modelo es 'irreflexivo'. Esto quiere 
decir, que ningun elemento esta relacionado consigo mismo. Si interpretamos esta propiedad 
en el escenario descripto anteriormente, la propiedad diria que ningun estado debe poder 
quedarse 'colgado' en si mismo. 

Para este caso, incluso cuando la propiedad puede ser puesta a prueba veriflcando la 
validez de la formula de primer orden x), no existe ninguna formula de la logica modal 
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basica que sea equivalente. Esto puede ser demostrado facilmente ya que la 'irreflexividad' 
no es invariante bajo bisimulaciones. Es mas, la logica modal basica tiene una propiedad 
llamada la 'propiedad de modelo de arbol' o tree model property. Esto quiere decir que 
cualquier formula satisfacible es tambien satisfacible en un modelo que tiene forma de arbol. 
Como corolario surge que no existe ninguna formula de la logica modal basica que caracterice 
irreflexividad, antisimetria ni intransitividad. 

Es este el fin de la logica modal? Estamos condenados a usar la logica de primer orden 
en este caso? Afortunadamente, la respuesta es no. Aunque la logica modal basica no pueda 
expresar esas propiedades, existen logicas modales mas ricas (que aun se mantienen por debajo 
del poder expresivo de primer orden) que pueden hacerlo. Como ejemplo, pueden usarse 
las logicas hibridas [BdRVOl] y las menos conocidas Memory Logics [AFFM08] que seran 
oportunamente introducidas. 

En smtesis, resultados de teoria de modelos como los de Caracterizacion y Definibilidad 
dan information importante sobre las distintas logicas. Se sabe que las demostraciones de 
estos resultados para las diferentes logicas modales tienen, de algun modo, el mismo 'sabor'. 
Una prueba general que cubra todas las logicas modales por debajo de primer orden es, por 
el momento, un plan demasiado ambicioso. 

En esta tesis damos condiciones muy generales pero suflcientes para que las propiedades 
de Caracterizacion y Definibilidad valgan en una amplia gama de logicas modales: cualquier 
logica modal que cumpla nuestras condiciones veriflcara las propiedades de Caracterizacion y 
Definibilidad. El resultado se puede aplicar tanto a logicas para las que se saben ciertas las 
propiedades en cuestion, como a logicas para las que se desconocia si estas propiedades valian 
o no. En el primer caso, obtenemos demostraciones nuevas de resultados ya conocidos (en 
particular, aplicamos nuestro esquema a las logicas hibridas con el operador @ y nominales). 
En el segundo caso, obtenemos resultados novedosos, aplicando nuestras herramientas a las 
memory logics, una familia de logicas modales con comportamiento dinamico introducidas 
recientemente en el area. 



1. INTRODUCTION 



1.1 A bit of history 

The first traces of modal logic go back to 1918 with the work of C. Lewis [Lewl8]. In this 
publication he enriched the propositional calculus with two operators to try to solve some 
problems with material implication. In a modern notation these operators would be □ and 
O. Given a formula ip, then, Dtp was meant to be interpreted as "it is necessary that cp" and 
0(p as "it is possible that tp" . At this point (called the 'syntactic era') all the work on Modal 
Logic was strictly syntactical, there was no model theory for it. 

Later, during the end of 1950s and early 1960s (sometimes called the 'classical era') the 
first ideas on modal logic semantics were born. The seminal work of Prior [Pri57] (with 
tense logic) and Jonson and Tarski with boolean algebras with operators [JT51, JT52] later 
gave birth to Kripke semantics for modal logics. Kripke's work [Kri63a, Kri63b] proposes a 
relational semantic for modal logic, that is, a suitable model to evaluate a modal formula is 
just a set of worlds (or points) and relations among them. 

With these semantics, many difficult problems (such as knowing whether two axiomatic 
systems are equivalent) had now turned a lot easier. The emergence of cannonical models and 
completeness results were predominant in this period which helped link the ancient 'syntactic 
era' with the new semantics. Although the research made in the 'classical era' was not 
syntactical, it was anyways syntactically driven. That is, relational semantics, were used as a 
tool to analyze logics and prove syntactical results. Model theory, was not playing a big role 
by itself. 

The so-called 'modern era' goes from the 1970s to the present days. In this period, modal 
logic started to be used to describe relational structures and not just as a mere tool. The germ 
of modal logic also started to spread to other fields, as an example, computer scientists started 
to use modal logics to reason about programs represented as relational models. The first steps 
in this line of work were taken by Pratt [Pra79] with his work on propositional dynamic logic 
(PDL). Computer scientists added new problems to the already growing pool of questions. 
Complexity of the satisfiability problem for modal logics started to be studied with the work 
of Ladner [Lad77] for normal logics and Ladner, Fischer and Pratt [FL79, Pra79] for PDL. 

The discovery of frame incompleteness results showed that there are classes of models for 
which there is no possible axiomatization (Thomason [Tho72, Tho74] and Fine [Fin74]). This 
shows that modal logics can't be analyzed from a purely syntactical perspective. 

Modal logic is not isolated from the rest of the world. During this period, the expressive 
power of modal logics was put into question. Which logic is the best to describe certain 
relational structures? Now that we know that different logics have different computational 
complexities, which is the 'cheapest' logic that solves my problem? The power of these logics 
could be compared between each other and also with respect to classical logics such as first 
and second order logic. 

The results brought to light by this period helped shift the view of modal logics as 'in- 
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tensional' formalisms that were only able to talk about 'modes of truth' to a much broader 
panorama, which constitutes the current way of looking at modal logics. 

1.2 Basic modal logic 

It is now time to formally meet the modal logics we are going to work with and its relational 
semantics. We start by defining the basic modal language BML. Because we are interested in 
working with many modalities at the same time, the diamond (O) and box (□) operators are 
going to turn into the operators (r) and [r], where r indicates the modality we are working 
with. When we are in a case where there is a single modality, we are going to use O and □ 
again. 

Definition 1.2.1 (Syntax). Suppose we have a set of propositional symbols PROP = {pi,£>2, • • • } 
and a set of modality symbols REL = {ri,r2, . . . }. We assume that both sets are pairwise 
disjoint and countable infinite. A specific choice of PROP and REL is called the signature of 
the language. We define the set of formulas of the basic modal language over the signature 
(PROP,REL) as: 

ip ::= T | _L | p \ -up \ (pA^\(p\/^\(p^t(j\(p^t(j \ (r)tp \ [r](p 
where p E PROP, r E REL and (/?, ip are formulas. 

Of course this is not a minimal definition. One can fix an adequate set of primitive boolean 
connectors (like -> and A) and define all the other boolean connectors in terms of that primi- 
tive set. Also, as it will follow from the satisfaction definition we are going to present below, 
diamond and box are dual operators, and therefore for all r E REL, (r)ip can be defined as 
-i [r] -i(£>, and conversely, [r]<p is equivalent to -i(r)-><£. We are not going to bother yet to pick 
a set of primitives operators, since it is not really important at this point. When we do that, 
we will only have to worry about choosing a convenient set that allows us to generate the 
whole language. 

Now we formally define the models for the basic modal language. As we mention before, 
Kripke semantics define models as graphs, and in fact, as directed graphs with decorations. 

Definition 1.2.2 (Kripke models). Let S = (prop, rel) be a signature. A Kripke model M. 
for S is a tuple (W, (i? r )rGREL, V) satisfying the following conditions: 

(i) W, the domain, is a nonempty set whose elements are called points, but also, depending 
on the context, states, worlds, times, etc. 

(ii) Each R r , an accessibility relation, is a binary relation on W. 

(iii) V : PROP — >► V(W), the valuation, is a labeling function that assigns to each proposi- 
tional symbol p E PROP a subset of W. We can think of V(p) as the set of points in M 
where p holds. 

Given a model M. and w E \M\, we call (A4,w) a pointed model. 
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Before moving on, let us see an example of a Kripke model, in order to clarify the concept. 
In the following model we will give a graphical representation of the domain and the relations 
of the model. A node represents an element in the domain and an edge from w to w' labeled 
as R means that wRw' . 

Example 1.2.3. Consider the following model M. — (W, (R r )reREL, V): 



R 2 p>q 




Q 



This model has a domain of four points, W = {wi, W2, ws, W4}. The signature in which it 
is based on is (prop = jjp, (/}, REL = {ri,r2}), that is, it has two modalities, r\ and r2, and 
two propositional symbols, p and q. We explicitly indicate in the picture the places where 
the propositional symbols hold. Translated to the valuation function V, that means that 
V(p) — {^15^3} an d V(o) — {^25^3}- Observe that at W4 no propositional symbol holds. 

Now we are ready to define the semantics for the basic modal language, since we already 
have both the syntax and the structures the language is going to talk about. Recall that 
modal logics describe Kripke structures from an internal perspective. This means that, in 
contrast with first order logic in which formulas see models from some kind of omniscient 
lookout point, modal formulas are evaluated at some particular point of the model. 

Definition 1.2.4. Given the model M — (W, (R r )reREL, V) and w E W, we inductively define 
the notion of a formula p being satisfied (or true) in M at the point w as follows: 



M,w\=T 




always 


M,w h -L 




never 


w \= p 


iff 


w e V(p) p E PROP 


w \= 


iff 


M, w \£ (p 


M, w \= if Aip 


iff 


M, w \= (p and M, w \= i/j 


M, w \= ipV i> 


iff 


A4,w \= <p or M. , w \= ip 


A4. w \= (p —> ip 


iff 


A4,w ^ (/? or |= ip 


M, w \= (p +± ifj 


iff 


M , w \= (p if and only if Ai , w \= 


M, w \= (r)<p 


iff 


there is a w' such that wR r w' and w' \= ip 


M,w |= [r](p 


iff 


for all w' such that wR r w', M,w' \= <p 



Given a model M, we say that p is globally satisfied (or globally true) on M, and write 
M. |= ip, if for all points w in the domain of M. we have that A4,w \= (p. A formula p is 
universally valid if it is globally satisfied in all models, and in that case we write |= p. A 
formula p is satisfied in a model M. when there is a point in M. where p is true, and p is 
satisfiable if there is some point in some model at which it is satisfied. When working with 
sets of formulas, these definitions are lifted in the expected way. 



4 



1. Introduction 



1.3 Model equivalence 



Let M and M' be two models for a logic £, and w and w' be two points in M and M! 
respectively. We say that w and w' are ^-equivalent (notation: w =£ w') if they make the 
same £- formulas true. 1 This means that, although the models may be different, if we look at 
w and w' "through the glasses of the logic £" they are indistinguishable. Consider now the 
following two models. 



o 

w 

o 

Mi 



T 

O 

x 2 



Fig. 1.1: The points w and v are BML equivalent. 

Let us consider the basic modal language. Assuming that V{p) = in both models for all 
p E PROP, is there a way to distinguish w from u in BML? That is, is there a basic modal 
formula that is true at w and false at v? It doesn't seem to be easy to find one. On the other 
hand, if we can use first order logic this is quite straightforward: the formula x) is true 

if we assign w to x, and false in the case of v. 



Equivalence as a structural notion 

One could pick two pointed models w) and (A/*, v) and ask wether they are £-equivalent 
for a given logic £ without checking every possible formula. For example, in Figure 1.1, we 
would like to know if there is a structural relationship between the models that makes them 
equivalent for BML. 

In classical first-order logic this relationship corresponds to potential isomorphisms, which 
is defined as follows in [CK90]. 2 

Definition 1.3.1 (Potential isomorphism). Let M.f and J\f^ be first order models with do- 
mains M and N respectively. A potential isomorphism between and J\ff is a relation Z 
on the set of pairs of finite sequences (ai, . . . , a n ), . . . , b n ) of elements of A and B of the 
same length such that: 

(i) 0^0. 

(ii) If (ai, . . . , a n ) Z (&i 5 . . . , b n ) then (M^ ai, . . . , a n ) and (A/^, &i, . . . , b n ) satisfy the same 
atomic formulas. 

(hi) If (ai, . . . , a n ) Z (6i, . . . , b n ) then for all c E M there exists d <E N such that (ai, . . . , a n , c) Z . . . , 6 n , d) 
and vice versa. 

1 When the logic is clear from context we don't add the subscript 2. 

2 In the literature, such as [CK90], potential isomorphism are sometimes called 'partial isomorphism' because 
they are formed of sequences of isomorphism with restricted domain. 
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We use A4? = Aff to note that there exists a potential isomorphism between A4? and AT? . 
Observe that potential isomorphism relations are symmetrical, that is, AA^ = J\ff if and only 
ifAf f ^M f . 

Given two first-order models AA$ \j\ff if AA^ = Aff then the models are indistinguishable 
by first-order logic [CK90, Proposition 2.4.4] (they are also called elementary equivalent). 

In the modal domain, take the basic modal logic as an example, the notion of bisimulation 
between models gives a structural notion which implies that the models are equivalent when 
looking through the glasses of basic modal logic [BdRVOl, Section 2.2]. For a detailed historical 
insight on bisimulation we recommend [San09]. 

Let's take a look at the definition of bisimulation for the basic modal logic. We will give 
the definition for the monomodal version of BML because its simplicity is suitable for this 
introduction but all the definitions and results of this chapter also hold for the multimodal 
case. 

Definition 1.3.2 (Bisimulation for BML). A bisimulation between two BML models A4 = (W, R, 
and AA' = (W, R', V) is a non-empty binary relation Z C W x W' between their domains 
such that whenever wZw' we have that: 

Atomic harmony: w and w' satisfy the same propositional symbols. 

Forth: if wRv, then there exists a point v' in AA' such that vZv' and w'R'v'. 

Back: if w'R'v 1 then there exists a point v in AA such that vZv' and wRv. 

If there is a bisimulation between two models AA and AA' we say that AA and AA' are bisimilar 
and we write AA i±AA'. Moreover, we say that two points w E M and w' E M' are bisimilar 
if they are related by some bisimulation, and we write w t± A4',w'. We write w i± w' 
when the models are clear from context. 

Returning to the models M\ and M2 we have just presented in Figure 1.1, it is easy to 
see that M\,w fztM.2,v- The bisimulation would be as follows (the dotted line indicates the 
pairs in the bisimulation relationship): 

Q 

w \ V 

a. " "~'~~-~Q 



Fig. 1.2: Bisimilar models. 

The definition of bisimulation we just gave is specifically designed for the basic modal 
logic, and thus the expected property is that satisfiability of formulas in the basic modal logic 
is invariant under bisimulations as proved in [BdRVOl]. 

Theorem 1.3.3. Let A4 and M! be two Kripke models over the same signature. Then, for 
every w E M and w' E Ad', if w w' then for every formula (p of BML, AA^w |= (p if and 
only if M' \ w' \= p. 
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The aforementioned logics, namely BML and first order logic, have both negation and 
disjuction in their languages and both "model equivalence" notions (bisimulation and po- 
tential isomorphisms) are symmetrical. In many areas of computer science one finds logical 
formalisms that lack some of the standard Boolean connectives 'and', 'or' and 'not'. In par- 
ticular, negation-free logics are widely used in areas as diverse as semantics of programming 
and knowledge representation. In some applications, such as the generation of referring ex- 
pressions [AKS08], Boolean negation may be unnatural. 

Take now the basic sub-boolean modal logic, BML", which is defined as BML but doesn't 
have negation nor the □ modality. As the language is weaker, the notion of model equivalence 
should change. Bisimulations, for example, are too strong for negation-free logics because 
they preserve negation. In [BdRVOl, Definition 2.77] we can find the definition of the concept 
of simulation for negation- free logics. If there is a simulation from Ai,w to A/", v then every 
formula true at Ai, w is also true at J\f, v. The formal definition is as follows. 

Definition 1.3.4 (Simulation for BML"). A simulation between two models At — (W, R, V) 
and Ai' — (W f , R\ V) is a non-empty binary relation Z C W x W' between their domains 
such that whenever wZw 1 we have that: 

Atomic condition: If w G V(p) then w' G V(p) for all p G PROP. 

Forth: if wRv, then there exists a point v r in Ai' such that vZv 1 and w'R'v'. 

If there is a simulation between two models Ai and Ai' we write Ai ^ M! '. Moreover, we 
say that two points w G Ai and w' G Ai' are similar if they are related by some simulation, 
and we write At, w :± Ai\ w' . We write w zztw' when the models are clear from context. 

Observe that, in this case, half of the "Atomic harmony" condition has been removed. 
Another point to be taken into account is that even though BML's bisimulation is symmetrical, 
simulations need not to be. This notion is specially suited for BML" and preserves every 
formula formed from A, V and O. The following theorem states this formally. 

Theorem 1.3.5. Let Ai and Ai' be two Kripke models over the same signature. Then, for 
every w G Ai and w' G Ai', if w z±w r then for every formula ip of BML"; w \= ip implies 
M',w'\=(p. 

As the notion of simulation is less restrictive than the notion of bisimulation it should 
be no surprise to find models which are similar but not bisimilar. Take, for example, the 
following two models. 

Again, the dashed lines indicate the pairs in the simulation relation. We can see, that 
Aii, wo ^ At2,vo, on the other hand, there is no bisimulation linking them. To show this, 
it is enough to exhibit a formula ip such that ^2,^0 \= ¥ and Ati,wo \/= (p. In this case, a 
possible formula is Or. 

Equivalence as a game 

These notions of model equivalence can also be presented using a more dynamic perspective, 
closer to a form of process equivalence. For example, the task of determining whether two 
models are bisimilar can be recast in the form of an Ehrenfeucht-Fraisse game [EFT84]. 
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Mi 



M 2 




Q 




Fig. 1.3: Similar but not bisimilar. 



Let (Mi,w\) and be two pointed models. An Ehrenfeucht-Fraisse game for the 

basic modal logic is denned as follows. There are two players called Spoiler and Duplica- 
tor. Intuitively, Spoiler tries to devise a property true in one model and false in the other. 
Conversely, Duplicator tries to 'copy' the property from one model to the other by imitating 
Spoiler's movements. 

The two players compare successive pairs, starting from (A4±,wi) and (M2, ^2)- Duplica- 
tor immediately loses if w± and W2 do not coincide in the propositional symbols. Otherwise, 
the game starts, with the players moving alternatively. Spoiler always makes the first move 
of the game. In a turn of the game, Spoiler starts by choosing in which model he will make 
a move. After that, he chooses a point which is a successor of the current w\ or W2, and Du- 
plicator responds with a matching successor in the other model. If the chosen points differ in 
the atomic propositions, Spoiler wins. If one player cannot move, the other wins. Duplicator 
wins on infinite runs. 

Note that with this definition, exactly one of Spoiler or Duplicator wins each game. A 
strategy for Duplicator is a function that takes a valid state of the game (i.e. a pair (a, b) 
with a G \Mi\ and b E I.M2I) and returns a possible next move for Duplicator. A strategy for 
Spoiler is defined in the same way but note that the function should also return the model 
in which Spoiler should make the move. We say that a player is following a strategy a when 
all his moves in a game comply with the answer of a for every stage of the game. A strategy 
is winning if the player following it necessarily wins the game, no matter what his opponent 
plays. Given two pointed models (M\,w\) and (M2, ^2) we will write (Mi,w\) =& (M2, ^2) 
when Duplicator has a winning strategy for the game. 

Intuitively, this game captures exactly the zigzag behavior of bisimulations, and the atomic 
harmony condition. The two notions are equivalent, but depending on the context, one can 
be more natural than the other. 

Proposition 1.3.6. [GO05] Let (Mi,w\) and (M2, W2) be two BML pointed models, then 
(Mi, w\) =b (M2, W2} if and only if (Mi, wi) i± (M2, w 2 ). 

The perspective of model equivalence as a game is not restricted to the basic modal logic. 
With minor modifications to this notion of game we can create a notion that is suitable for 
BML", for instance. An Ehrenfeucht-Fraisse game for BML" is the same as the game for the 
basic modal logic but spoiler can't choose the model where he is playing. That is, Spoiler 
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starts playing in Mi and he won't be able to change to M.2- 

Suppose that Spoiler and Duplicator start a game standing in (Mi,wi) and (M2,W2) 
respectively. If Duplicator has a winning strategy then .Mi, w\ z± M2, W2. On the other hand, 
if Spoiler has a winning strategy then M\,w\ ^± M2, W2- We will write (.Mi, w\) = s (M2, W2} 
when Duplicator has a winning strategy for the game. The following proposition states the 
equivalence between BML" simulation and the game definition. 

Proposition 1.3.7. Let (.Mi, wi) and (M2, W2) be two BML" pointed models, then (.Mi, w\) = s 
(M2, w 2 ) if and only if (Mi, w i) — (M2, ^ 2 ). 

Summing up, simulations and bisimulations are very powerful tools to measure the expres- 
sivity of a logic: they provide us with structural conditions on the models that characterizes 
the appropriate structure preserving morphisms. Since simulations are directly linked to the 
expressivity of a given logic, there is not a unique notion of simulation. Here we have just 
presented the notion of bisimulation for BML and simulation for BML", but for every logic we 
need to find a suitable definition, and this notion will reflect the logic's expressive power. In 
this sense, looking for the appropriate notion of model equivalence allows us to learn about 
the logic we are working with. 

1.4 Saturation 

We have discussed a lot about model equivalence notions, in particular about simulations and 
bisimulations, but we have been avoiding a fundamental question. Let's focus on bisimula- 
tions, we know that M,w i±N, v implies M, w = A/", v. Does, in general, the converse hold? 
That is, does M,w = A/", v imply M,w t±Af,v? The answer is no. Consider the following 
two models: 



It can be shown that, although w and w' satisfy the same BML formulas, there is no 
possible bisimulation between them. Recall that in Section 1.3 we presented an alternative 
interpretation of bisimulations as games. We will now use that notion to prove that these 
models are not bisimilar. 

Set a game between Duplicator and Spoiler with them starting at (Mi,w) and (M2,w f ) 
respectively. The first turn is for Spoiler. He chooses to stay in M2 and move to the successor 
of w' that lays in the infinite branch of the model. Now it is Duplicator's turn, he must move 
to a matching world in M\. As the atomic harmony condition is trivially satisfied by any two 
pairs of these models, the only problem could arise if Spoiler makes a move and Duplicator 
has no possible successors to move to. Duplicator has to choose a branch in Xi and move 
to it. Suppose, without loss of generality, that Duplicator chooses a branch with k nodes. 




w 




Mi 



M 2 
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You can easily see that, as there is no going back, if Spoiler carries on moving in his infinite 
branch there will be a moment (after k moves) when Duplicator hits the end of his branch in 
A4±. In that moment Spoiler wins the match. 

The strategy we've described guarantees that Spoiler will win no matter what Duplicator 
chooses. Therefore, as Spoiler has a winning strategy the models are not bisimilar. In fact, 
as Spoiler starts the game in M.2 and never changes the model this argument proves that 
M.2,w f -f±M.\,w which is a stronger result. 

Do not panic. There are some classes of models where modal equivalence implies bisimi- 
larity. A very useful one is the class of ^-saturated models. In order to present this class we 
need some previous definitions. 

The following notions will be given in terms of first order models and not BML models 
but this shouldn't carry any problem. Later, in Section 4.2, we will see that there is a 
straightforward formalization that lets us think of a model as a BML or first order model 
interchangeably. 

Notation 1.4.1. We will use (f(x) to note first order formulas with at most one free variable 
x this notation extends to sets T(x) as expected. The notation g[x H> w] denotes a valuation 
g f that is the same as g on every parameter except on x where g'{x) — w. Given a first order 
formula ip(x) we will hereafter note \= ip(x)[w] to mean A4^g[x h-> w] \= tp(x). Observe 
that, as (f has only one free variable x the valuation will be irrelevant. Given a model A4 we 
use \M\ to denote the domain (or universe) of M. 

Definition 1.4.2. A set of first order formulas with (at most) one free variable is called a 
type. Given a model Ai^ we say that a type T{x) has a witness if there exists a state w such 
that for every formula <p(x) E T(x) we have \= ip(x)[w]. A type is finitely realizable if 
every finite subset has a witness. 

Definition 1.4.3 (Expansion). Let be a first order model with domain W. For A C W, 
the expansion of $ with A (noted $[A]) is obtained by extending $ with new constants a for 
every element a E A. The model A4 A is the same as but interprets the constants as 
expected. 

We are now ready to define cj-saturation. Informally, it resembles some kind of 'intra- 
model' compactness. That is, given a type T(x) if every finite subset is satisfied in (possibly 
different) elements in then there is a single element in which satisfies the whole set. 
Formally speaking the definition is as follows. 

Definition 1.4.4 (cj-saturation). A first order model is called uo-saturated if for every 
finite A C \M f \ the expansion has a witness for every type T(x) that is finitely realizable 
in M f A . 

In the beginning of this section we presented two models. One of them had branches 
of increasing length, the other one was an exact copy of the first but with an extra infinite 
branch. We have already seen that, in some sense, the first model was 'lacking' something 
that the second one had. The saturation that cj-saturated models have make them complete 
in this sense. The following theorem is a very important result which gives strength to the 
class of ^-saturated models. 
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Theorem 1.4.5 ([BdRVOl]). Let (M,w) and (J\f,v) be two cj-saturated models, 

If M, w = J\f, v then M,w t± A/", 

Therefore, in the cj-saturated class, bisimulation and BML equivalence coincide. This 
proof strongly uses the structural definition of bisimulations and thus we will not get into this 
kind of detail until we need it in Chapter 5. 

A particularly interesting fragment of the cj-saturated class is the finitely branching frag- 
ment, that is, every world has only finitely many successors. Another different (and more 
restrictive) example of cj-saturated class is the class of finite models. 

To finish this section we want to say some final words about cj-saturated models. The 
use of cj-saturated models will be crucial to prove the results in this thesis. Because of their 
special properties one could think that these models are rather scarce but, fortunately, they 
abound. Moreover, there is a standard way of, given an model construct an cj-saturated 
model Ad{ such that This theorem is stated as Theorem B.7 and proved in the 

Appendix. 

1.5 What this thesis is about 

For a wide spectrum of applications, which use logic as a tool, first order logic is enough to 
theoretically solve their problems. However, complications arise when we consider the behavior 
of first order logic in practice. First of all, first order logic is undecidable, that is, there is no 
algorithm to decide whether an arbitrary formula is a satisflable. Second, in general, most 
applications do not use the entire expressive power that first order gives. Therefore, even 
when working in decidable fragments of first order logic, they may be paying an excessive 
payload for things they will not be using. 

Modal logics are very good at molding themselves to fit a particular purpose. If you know 
what you need it is most likely that you can end up with a modal logic which has exactly 
the required expressive power but with better properties than first order logic in terms of 
complexity and decidability. For example, BML is decidable and has a PSPACE-complete 
satisfiability problem. 

Along this thesis we will work with logics that are less (or equally) expressive than first 
order logic. Informally, this means that if one can express a property with a modal formula 
then there is always some way to express the same property in first order. In other words, 
one can say that if a modal formula tp denotes some property then there exists some kind of 
translation to a first order formula (p f which denotes the same property. 

Johan van Benthem studied the connection between modal and first order logic [vB84]. 
One of his best known results in this area is the 'Characterization Theorem' which identifies 
BML as the bisimulation-invariant fragment of first order logic. Informally, one can state the 
theorem as follows. 

Theorem. A first order formula a is equivalent to the translation of a BML formula if and 
only if a is invariant under bisimulations. 

Note that in this case the notion of bisimulation is that of BML. As we have said before, 
every modal logic should have a potentially different notion of bisimulation. For example, we 
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have already seen the notion of simulation for BML". Using this notion, Kurtonina and de 
Rijke proved that BML" is the simulation-invariant fragment of first order logic. 

BML is just the tip of the iceberg, there exist plenty of extensions of BML to suit particular 
needs. Many modal logics admit a translation to first order logic and a characterization of 
this kind has been given for some of them. One essential problem is that there seems to be 
no general proof and every case needs a new ad-hoc proof. 

The birth of the concept of bisimulation and correspondence theory helped answer new 
questions from a purely model-theoretic perspective. One example is the characterization of 
modal definability. Informally, we say that a class of models is definable by a set of formulas 
T if it is composed of exactly all the models where T is valid. A class is definable by a single 
formula if it is definable by a singleton set. 

It would be interesting to know which properties should a class of models satisfy in order 
to be defined by a modal formula or by a set of modal formulas. This question had previously 
been stated and answered for classical first order logic [CK90]. Whereas the answer for first 
order logic is presented in terms of potential isomorphisms, in the case of modal logics, the 
notion of bisimulation plays an essential role. To uncover the panorama we cite the following 
result for BML which can be found in [BdRVOl]. 

Theorem. A class of models K is definable by means of a single BML formula if and only if 
both K and K are closed under bisimulations and ultraproducts. 

Do not worry about what 'ultraproducts' means right now. They will be introduced 
when needed. Just bear in mind that they are useful model construction tools (with algebraic 
roots) which first caught the attention of logicians because they could be used to give a purely 
algebraic proof of the Compactness Theorem for first order logic. For a detailed survey on 
ultraproducts we recommend [Kei08]. 

As with the characterization theorem, definability results similar to the one presented here 
also hold for a vast number of modal logics. Similarly, every logic has a proof that is specially 
crafted for that case. 

Clearly, characterization and definability results help us to better understand a logic. 
Interestingly, these results also have a great impact in practical computer science. 

Consider the following problem: Suppose you are into model checking, that is, given a 
model of a system, test automatically whether this model meets a given specification. Suppose 
that the specification can be written as a first-order formula (p. 

You could always use first-order tools to check if the model satisfies tp but that can result 
in a high complexity cost as we have already mentioned. One could try to see if there are 
'cheaper' logics that can be used to solve the problem. If we can express the same property 
in some modal logic we may be able to drastically optimize the process. 

Let's discuss a concrete example. Suppose that the points in our domain model the 
different states in the execution of a program and there is a transition from one point to 
another if there is a possible transformation that brings state a into b. Thinking of the model 
in this way would imply that states without successors (also called endpoints) are states were 
the program has halted. 
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One possible property to be checked could be "every point should be able to immediately 
'escape' from the flow of execution", meaning that, every point should be able to directly see 
an endpoint. This property can be verified by checking that the first order formula 

ip(x) = 3y.R(x,y) (3z.R(x, z) A Vw.->R(z,w)) 

is valid in the model but it can also be checked by verifying that the BML formula — OT — » OD_L 
is also valid in the model. As we have an equivalent BML formula, we can now use model 
checkers that accept BML formulas to solve our problem. 

Apart from being more 'user friendly', the sole existence of the formula tells us that 
the property is invariant under bisimulations and this information bears an extra benefit. 
Suppose that the model is automatically generated from a piece of code. If, for example, we 
feed the generator with the code of an entire operating system, the resulting model will be 
very large. 

It is not the purpose of this thesis to get into this topic but there are (efficient) algorithms 
to automatically minimize the model which preserve the truth of formulas invariant under 
bisimulations [Hop71, Gri73]. Therefore one could first minimize the model and then model 
check over the resulting model which will most likely be small with respect to the original 
one. 

On the other hand, suppose now that we want to check whether the model is 'ir reflexive', 
that is, no element is related with itself. If we interpret this property in the setting described 
above, it would mean that no state has the possibility to 'hang' in itself. 

In this case, although the property can be verified checking the validity of the first order 
formula -iR(x, x) in the model, there is no BML formula which does the job. This can be 
shown easily because 'irreflexivity' is not invariant under bisimulations. Moreover, BML has 
the so-called tree model property which means that every formula satisfiable in a model is also 
satisfiable in a model which is a tree. As a corollary we get that there is no BML-formula 
characterizing irreflexivity, antisymmetry nor intransitivity. 

Is this the end of modal logic? Are we condemned to use first-order logic in this case? 
Fortunately, the answer is no. Although BML can't express those properties, there are richer 
logics (which still lay below first order) which can do the job. For example, Hybrid Log- 
ics [BdRVOl] and the less known Memory Logics [AFFM08] which will be introduced later in 
this thesis. 

To summarize, model theoretic results such as Characterization and Definability give 
important information about different logics. It is well known that the proofs of those results 
for several modal logics have, somehow, the same 'taste'. A general proof for most modal logics 
below first order is still too ambitious. In this thesis we plan to isolate sufficient conditions for 
the characterization and definability theorems to hold in a wide range of logics. Along with 
these conditions we will prove that, whichever logic that meets them, satisfies both theorems. 
Therefore, one could give an unifying proof for logics with already known results. Moreover, 
one will be able to prove characterization and definability results for logics that have not yet 
been investigated. In both cases, it is only needed to check that a logic meets the requirements 
to automatically derive the desired results. 



2. KNOWN RESULTS FOR BML 



If we want to generalize a result we'd better understand how it works in specific cases. This 
chapter is devoted to sketching the proof of some theorems for BML. This will be helpful 
to identify the main ideas in their proofs and, with them in mind, get ready to undertake a 
generalization. 

2.1 Characterization 

We have talked about van Benthem's characterization theorem. We know that BML is strictly 
less expressive than first order logc, therefore, there are some 'statements' that you can make 
in first order logic which can't be made in BML. Informally, the Characterization Theorem 
identifies which first order formulas have an equivalent formula in the language of BML. More 
formally it is stated as follows. 

Theorem (van Benthem). A first order formula a(x) with at most one free variable is equiv- 
alent to the translation of a BML formula if and only if a{x) is invariant under bisimulations. 

Some work is needed for this wording to be precise. First of all, we are comparing modal 
formulas with first order formulas. Also, implicitly, when we talk about two formulas being 
'equivalent', we are evaluating them in some model. That's a problem because BML formulas 
are evaluated in Kripke models and first order formulas aren't. 

For us to be able to do such comparison between BML and first order logic we need to 
define a formula translation and a way to interpret every BML model as a first order model 
and vice- versa. 

For this chapter we will set the signature for BML to be S = (prop,REl) with PROP = 
{pi,P2, • • • } and REL = {R} therefore we will use a single diamond. This restriction to the 
unimodal case is only to make this introduction simpler. All these results also hold for the 
multimodal case. 

Definition 2.1.1 (Standard Translation). The Standard Translation function ST X takes a 
BML formula and returns a first order formula with at most one free variable x. It is defined 
as follows. 



We only define the translation for a basic (and adequate) connective set. It extends to the 
full set of connectives as expected. 

In this definition, we can already see that first order formulas include relations Pi and 
i?, this may give us a hint to define the first order signature. A first order signature is a 



ST x (pi) 
ST x (^<p) 

ST x (Ocp) 
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tuple (frel, fconst, ffunc) where frel is the set of relation symbols, fconst is the set 
of constant symbols and FFUNC is the set of function symbols. In our case we define the 
first-order signature to be T — ({P, Pi, P2, . . . }, 0, 0). 

Definition 2.1.2 (First order model). A first order model over the signature J 7 is a tuple 

— (A, (i?^)i?£FREL5 (f 1 ) /GFFUNC5 ( C ^) cGFCONSt) 

where A is the (non empty) domain, each R 1 is the interpretation of the relation symbol P, 
each f 1 is the interpretation for the function symbol / and each c 1 is the interpretation for 
the constant symbol c. 

In general we add a superscript or subscript / to first order models so it is easier to 
distinguish them from modal models at first sight. We use e, w, v, . . . to refer to elements of 
the domain of some model and g, /i, . . . to refer to first order valuations. 

The crucial point now is to see that there is a bijection between BML models over the 
signature S and first order models over the signature T . Given a BML model M = (W, P, V) 
we can think of it as a first order model defined as 

M f = (W,{R,P 1 , P 2 ,... },$,$) 

where Pi = V(pi). With this definition one can easily see that, given a BML model A4 and 
w E W; M,w \= pi if and only if \= Pi(x)[w\. 

On the other hand, observe that any first order model in this signature should be of the 
form M f = (W, {P, Pi, P 2 , . . • }, 0, 0) and one can therefore build a BML model analogously. 

As it is usual in the literature, we will use, for this chapter only, the same model and think 
of it as a BML or first order model as convenient. Now we can state the theorem that links 
BML with first order. 

Theorem 2.1.3 (Truth preservation). Let M be a BML model, w G \M\ and <p be a BML 
formula, 

M, w \= (p if and only if M \= ST x ((p)[w]. 

This theorem states that for every BML formula there is a first order formula which is 
true in exactly the same worlds, thus, they are equivalent. Now that we have this theorem 
at hand it becomes clearer that we can compare formulas and models between BML and first 
order logic. 

The Characterization Theorem is stated in terms of 'bisimulat ions' and uses notions we 
haven't yet defined. To begin with, we copy the definition of BML bisimulation given in 
Section 1.2. 

Definition 2.1.4 (Bisimulation). A bisimulation between two models A4 = (W,R,V) and 
M r — {W , R 1 \V r ) is a non-empty binary relation Z CW x W' between their domains such 
that whenever wZw' we have that: 

Atomic harmony: w and w' satisfy the same propositional symbols. 

Forth: if wRv, then there exists a point v' in M 1 such that vZv' and w'R'v'. 

Back: if w'R'v 1 \ then there exists a point v in A4 such that vZv' and wRv. 



2. 1 . Characterization 
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In particular, the theorem talks about first order formulas being bisimulation-invariant. 
Van Bent hem defines this concept as follows: 

Definition 2.1.5 (Bisimulation invariance). A first order formula a{x) is invariant for bim- 
ulations if for all BML models M,M and w E \M\,v E \Af\ such that M,w i± M,v the 
following holds: 

M h ol(x)[w] iff M |= 

Observe that, so far, we only know that BML formulas are invariant for bisimulations and 
we don't have a result regarding first order formulas. The result for BML formulas was stated 
in Theorem 1.3.3. On the other hand, when talking about first order formulas, some may be 
invariant for bisimulations and some others not. The set of formulas that are invariant for 
bisimulations is exactly the one identified by the characterization theorem. 

As an example, take the following two BML-bisimilar models. The first model is a single 
reflexive point and the second one is isomorphic to (IN, <). 1 The dashed lines represent the 
pairs in the bisimulation relation. 




Now take the first order formula ip(x) = R(x,x). This formula holds at an element of the 
domain if and only if it is reflexive. It is clear that Mi \= ip(x)[w] and M2 ip(x)[w f ]. 
As there is a bisimulation w i± w\ this two models serve as a proof that reflexivity is not 
invariant under bisimulations. 

This also means that there is no possible BML formula equivalent to ip(x). Suppose that 
there exists a BML formula ip whose translation is equivalent to (p. By Theorem 2.1.3 we have 
that Mi, w \= iff Mi \= <p(x)[w] and M2, \= iff M2 \= tp(x)[w'\. We can conclude that 
M\,w \= and M2,w f Y= '0. This contradicts Theorem 4.2 because, as it is a BML formula, 
should be invariant under BML bisimulations. 

We have proved that as ip(x) is not invariant under bisimulations it is not equivalent 
to the translation of any BML formula. What we have done for one particular case, the 
characterization theorem proves for an arbitrary first order formula. Moreover, it also proves 
the converse. Now that we understand what we are trying to prove we are ready to begin 
with the proof itself. 



1 Therefore BML can't distinguish between a single reflexive point and the naturals. It is surprising that, 
as weak as it is, BML is still useful in practice. 
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The proof of the Characterization Theorem 

In this section we will skim through the proof of van Benthem's Characterization Theorem. 
It is not the goal of this section to give a detailed proof but to review the main ideas that 
support it. For a detailed proof refer to [BdRVOl, Section 2.6]. 

Theorem. A first order formula a(x) with at most one free variable is equivalent to the 
translation of a BML formula if and only if a(x) is invariant under bisimulations. 

Left to right. This direction is easy, we argue by contradiction. Suppose that a(x) is equiva- 
lent to the translation of a BML formula tp and it is not invariant under bisimulations. That 
is, there exist (A4, w) and (AA, v) such that M, w i±N,v but M \= a(x)[w] and Af ty= a(x)[v]. 

Using Theorem 2.1.3 we get that Ai,w \= tp and Af, v \/= (p. As we have a bisimulation 
linking those points and (p is a BML formula this drives us to a contradiction to Theorem 1.3.3. 
Absurd. □ 

Right to left. All the magic is in the proof of this direction. Suppose that a{x) is invariant 
under bisimulations. Define the 'modal consecuences of a' as follows. 

MOC(a) = {ST x ((p) : <p is a BML formula and a(x) \= ST x ((p)} 

It is trivial (by definition) that a(x) \= MOC(a). As MOC(a) is formed by the translation 
of BML formulas, if we can show that MOC(a) \= a{x) then we are done. We first sketch 
the proof for this statement and then carry on. 

Suppose that MOC(a) \= a(x), by compactness of first order logic there exists a finite 
subset A C MOC(a) such that A |= a(x). We therefore have |= /\ A <H> a(x). As every 
formula in A is the translation of a BML formula and ST x ((p A — ST x (<p) A ST X {^) we can 
conclude that f\ A is also the translation of some BML formula. Therefore we have proved 
that a{x) is equivalent to the translation of a BML formula. 

Hence, it all boils down to proving that MOC(a) \= a{x). Assume that an arbitrary 
model satisfies M \= MOC(a)[w]; we need to show that A4 \= a(x)[w]. The proof goes as 
follows (we now focus on the ideas and then provide more detailed steps): 

1. We first 'create' a new model (Af,v) such that M,w = J\f,v and AA, v \= a(x). We 
would like to transfer the validity of a(x) in A/", v to A4,w. 

2. Using standard model theoretic tools (that will be explained later) we construct, for 
Ai, w and A/", v, cj-saturated extensions A^*, w* and AA*, v* which are elementary equiv- 
alent to their originators. That is, they have the same first-order theory and they are 
cj-saturated. Observe that this implies A/P, = AA*,i;* and AA* |= a(x)[v*]. 

3. Using Theorem 1.4.5 seen in Chapter 1, as A/f*,u>* = A/**,i;* (and they are saturated) 
we have that M*,w* t±AA*,i;*. 



4. 



Finally, as AA* |= a(x)[i;*] and a(x) is invariant under bisimulations we get that A^* |= 
a(x)[w*}. As A^* has the same first order theory that its originator we conclude that 
M\=a(x)[w]. □ 



2.2. Definability 
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That's it! Those are the main points to bear in mind. The whole idea is to make a 'detour' 
through the class of first order ^-saturated models where bisimulation and equivalence do 
coincide. We can now proceed with the dissection of each point. 

For the first point we do the following. Define the set T as the translation of the BML 
theory of M,w, formally speaking 

r = {ST x {ip) : (f is a BML formula and M |= ST x (<p)[w]}. 

We claim that T U {a(x)} is satisfiable. Suppose not, by first order compactness there is 
an unsatisfiable finite subset To C T U {a(x)}. Observe that To = {a(x),7i, . . . , 7 n } should 
include a(x). If it is unsatisfiable it means that |= a{x) —¥ -> At«- Hence, -> /\ 7^ E MOC(a) 
because it is a modal consequence of a(x). Remember that one of our hypothesis was A4 \= 
MOC(a)[w] therefore A4 \= -> f\^i but this is impossible since every formula in Y was true 
at w by definition. Absurd. 

As TU{a(x)} is satisfiable we can say that there exists a model Af and an element v G \Af\ 
such that Af \= T[v] and Af \= a(x)[v]. 

For the next three points the explanation given above should suffice. For further details 
we give the references where the theorems that we used are proved. For the second point we 
use Theorem B.7 of the Appendix on M and Af and conclude exactly what we need. The 
theorems needed for the third point are already mentioned in the enumeration so there is 
nothing to add. The last point is the grande finale where the validity of a{x) is transfered 
over the bisimulation to end up in AA, w. 

Observe that this proof works for BML which is a logic that has negation and disjunction. 
For negation- free logics the proof needs to be changed a little and for logics lacking disjunction 
the proof really changes a lot. In [KdR97] you can find proofs for these languages. 

In Chapter 3 we propose a framework to generalize this proof. Although the proof devel- 
oped in this chapter looks pretty simple, in every step it makes use of a lot of suppositions 
that we may not be aware of. In a general scenario we will be working with an arbitrary 
translation, an arbitrary signature, an almost unknown model structure, etc. Because of the 
amount of uncertainty that we will have, we will need to do more complex detours to take 
the flux of the proof to some better known landscape. Be sure to remember this proof when 
reading Chapter 3 and 4. Going back and forth may be useful to understand the motivation 
for some definitions. 

2.2 Definability 

In Section 1.5 we presented a piece of one of the Definability results for BML. In this section 
we start by defining the concepts needed to state the full result. 

Notation 2.2.1. Let K be a class of models we write K to denote the complement of K with 
respect to the class of all models. This notation will be used for both modal and first order 
models. 

Definition 2.2.2. Let K be a class of pointed BML models. 
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(i) K is definable by a set of formulas T if and only if for every (M,w) it holds that M,w \=T 
if and only if (M, w) E K. 

(ii) K is definable by a single formula if it is definable by a singleton set. 
Theorem 2.2.3. Let K be a class of BML models. 

(i) K is definable by means of a set of BML formulas if and only if K is closed under 
ultraproducts and bisimulations and K is closed under ultrapowers. 

(ii) K is definable by means of a single BML formula if and only if both K and K are closed 
under bisimulations and ultraproducts. 

As before, we have to define what the closure condition mean for this theorem to make 
sense. We start by giving an informal introduction to ultraproducts. For this section it is 
enough to think of ultraproducts as follows: Given a family of first order models (Mi,Wi)i e j 
we can combine them and get a resulting model which is called the ultraproduct. 2 When every 
model in the family is the same we call the resulting model an ultrapower. 

This new model satisfies some nice properties that will be useful for us. We take one of 
them from Appendix B to illustrate the idea. 

Theorem. Let M^w be the ultraproduct of (Mi,Wi)i e i and let T be a set of first order 
formulas. 

• If every Mi, wi \= T then M, w \=T. 

• In the particular case of an ultrapower this implies that Mi,Wi \= ip if and only if 
M,w |= ip. 

We are ready to define the closure under ultraproducts and ultrapowers. These definitions 
should only be used for the special case of BML. In the next sections we will need to redefine 
these notions to have a broader reach. 

Definition 2.2.4. A class K of pointed BML models is closed under ultraproducts if and only 
if, for every family of BML models (Mijiei with Mi E K the ultraproduct of those models 
also belongs to K. The closure under ultrapowers is defined as expected. 

With respect to the closure under bisimulations, it is a lot easier to imagine what it means. 
We define the notion of closure under bisimulations for the special case of BML bisimulations. 

Definition 2.2.5. Let K be a class of BML models, it is closed under bisimulations if and 
only if the following holds: For every (M,w) E K, if (Af,v) is such that M,w i±Af,v then 
(A/» E K. 



2 Strictly speaking, there is also another ingredient which is called 'ultrafilter'. Consult Appendix B for 
further information on ultrafilters and ultraproducts. We recommend its lecture. 



2.2. Definability 
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The proof of the Definability Theorem 

In this section we give a sketch of the proofs for the right to left directions of the theorem. A 
detailed version can be found in [BdRVOl, Section 2.6]. 

Right to left of (i). Suppose that K is closed under ultraproducts and bisimulations and K is 
closed under ultrapowers. The main ideas to prove this theorem are the following: 

1. Propose a set F = 'theory of K' as a candidate set of formulas defining K. Every model 
of K trivially makes F true. For F to define K we still need to prove the other half, that 
is: If M, w \= F then (M, w) E K. 

2. Take any M,w \= T, we will get to a contradiction by assuming that (M,w) E K. We 
start by showing that there is a model (A/*, d)gK such that A4, w = A/*, v. Here we will 
use that K is closed under ultraproducts. 

3. As we did in the proof of the characterization theorem, we construct, for A4, w and A/", v, 
cj-saturated extensions M*,w* and AA*,?;* which are elementary equivalent to their 
originators. That is, they have the same first-order theory and they are ^-saturated. 
Observe, again, that this implies M*,w* = Af*,v* and AA* |= a(x)[v*]. 

One important difference with respect to the proof of the characterization proof is that 
here we use that K and K are closed under ultrapowers and conclude that (A4*, w*) E K 
and (AT*,v*) E K. 

4. Using Theorem 1.4.5 seen in Chapter 1, as M*,w* = AA*,i>* (and they are saturated) 
we have that M*,w* t±AA*,^*. 

5. Finally, as M*,w* t±AA*,t;* and K is closed under bisimulations then (AA*,t;*) E K. 
Absurd, in point 3 we had said that (A/**, v*) E K. 

As seen before, one of the central tricks is the detour through cj-saturated models. The details 
are as follows: In the first point the set should be defined as 

r = {(f : for every model (A, u) in K; A, u \= (/?}. 

For the second point, let S = {ip : M, w \= ip} be the theory of (A/f, w). If we find a model in 
K that models S then it will be BML equivalent to (Ai,w). 

The proof in [BdRVOl] hand-crafts an ultraproduct of models to make this step but we will 
take a route which keeps us away from the inner works of ultraproducts. Suppose that there 
is no such set in K making true all of E. By Theorem A.l there exists a finite subset Eq C E 
that is not satisflable in K. Then -i/\Eo would be true in K. In particular, A4,w \/= /\^o- 
This is absurd because Eo is a subset of w's theory. 

Therefore, there exists a model (AA, d)gK such that A/", v \= E which implies that A4 , w = 

N,v. 

The third and fourth points are justified as in the characterization theorem and the fifth 
point is self-explanatory. □ 
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Right to left of (ii). Suppose that both K and K are closed under bisimulations and ultraprod- 
ucts. Using the first part of this theorem we know that there exist two sets ]?!, T2 respectively 
defining K and K. It is clear that their union should be unsatisflable because no model can 
be in K and K at the same time. 

Using the compactness theorem, as Ti U T2 is unsatisflable there must be a finite subset 
Tq C Ti U Y2 which is unsatisflable. Let Tq = {a\, . . . , a n , . . . , f3 m } where ol\ E I\ and 
(3j E T2- As Tq is unsatisflable we can say that |= a\ A • • • A a n — A • • • A f3 m ). We show 
that it is exactly <p = a\ A • • • A a n that defines K. 

Trivially every model in K satisfies ip. For the converse, take .M, w \= a\ A • • • A a n , then 
M, w ty= Pi A • • • A p m therefore (M, w) £ K which means that (M, w) E K. □ 

To close this section we want to draw attention to one of the hypothesis in (ii): the need 
for both classes to be closed under bisimulations. Observe that, as the bisimulation relation is 
symmetric we could've just asked for either K or K to be closed under bisimulations and that 
would 've been enough. One can prove that K is closed under bisimulations if and only if K is. 

On the other hand, in the proof of (ii) from right to left, we strongly use that both 
classes are closed under bisimulations to get two sets that define each of the classes. What 
would happen now if we were talking about simulations? As simulations are not necessarily 
symmetrical we can't be sure that K is closed under simulations if and only if K is. This fault 
brings problems if we want to follow this same proof scheme. 

In [KdR97, KR97] there are alternative proofs for this result for model equivalence notions 
that aren't symmetrical. None of them are general enough to fit the framework that we will 
develop but both have proved of great inspiration for the results given in Section 4.3. 



3. THE GENERALIZED FRAMEWORK 



In this chapter we set up a proper framework which will aid us to prove generalized results for 
modal logics which lay (in terms of expressivity) below first order logic. We start by stating 
in which sense our results pursue a generalization. We will focus on the following two axes. 

Arbitrary modal logic 

We want to obtain characterization and definability results which hold for an arbitrary modal 
logic. Due to the broad spectrum of different logics we still have to stop somewhere. When 
we say 'arbitrary' we mean any modal logic with conjunction and disjunction (interpreted as 
usual) which is interpreted over extensions of Kripke models. 

These logics may come with different model equivalent notions. We want to be able to 
derive results no matter what the simulation or bisimulation relation looks like. We will only 
put constraints on the 'arity' of the relation, that is, it should link an element from the domain 
of one model to an element of the domain of other model. It will later become clear that this 
last generalization comes with a great price to pay: we know nothing about the structural 
properties involved in this notion. 

Relativization to a particular class of models 

The results presented in Chapter 2 were stated with respect to the class of all models. That 
is, BML is the fragment of first order formulas which are bisimulation invariant in the class 
of all first models. Think of the following motivational example. 

The 'Basic Temporal Logic' is a modal logic which is defined as follows: Its language has 
the full boolean connective set and two modalities F and P which are often called 'future' 
and 'past'. The classical perspective on this logic interprets it over Kripke models defined as 
a tuple (W, i?, V) and its satisfaction definition is the following. 

M, w \= Fip iff there is a v such that wRv and A4, v \= (p 
M, w \= Pip iff there is a v such that vRw and A4, v \= (p 

In the definition it is clear that the F modality looks forward in the relation R and the P 
modality looks back on it, hence the names 'future' and 'past'. Observe that the F modality 
can be thought as a normal 'diamond' over the relation R but that is not possible with the 
P modality. 

An alternative interpretation is as follows. Interpret the logic over Kripke models which 
are tuples (W, i?2, V) where R\ = . With this restriction we can give a different 
satisfaction definition for the modalities. 

M,w \= Fip iff there is a v such that wR\v and A4, v \= (p 
M, w \= Pip iff there is a v such that V0R2V and M., v \= ip 

In this case, both modalities are simple 'diamonds' (which have been given fancy names F and 
P). Does a similar characterization theorem hold in this case? Which properties should the 
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restricted model class have for the characterization to hold? These are the kind of questions 
that we will be adressing in the following chapters. 

When talking about definability we can think of relative definability as follows: Is the class 
K definable with a BML formula given that we only consider models within class K'? That 
is, is there a formula tp such that for every model in K', A4,w \= cp if and only if (Ai, w) G K? 

The results stated in Chapter 2 are valid for the special case where K' is the class of 
all models. In practice, depending on the domain of application, it is common to work with 
restricted classes of models such as finite models, tree models, acyclic models, etc. We want to 
know whether these restrictions give us extra information and turn classes that were previously 
undefinable into definable classes. A relativized version of the definability theorem should aid 
us in this quest. 

3.1 Basic definitions 

Definition 3.1.1 (Languages and formulas). We note £ and $ as the source and target 
languages respectively. The source language is an extension of the language 



which has infinitely many propositional variables, conjunction and the true and false con- 
stants. The target language is a (countable) first-order language which may or may not 
contain equality. 

FORM (21) is the set of formulas of the language 21 and FORM(# x ) is the subset of 
FORM (^) with at most one free variable (and that variable is x). 

During this thesis we will deal with source logics which are at most as expressive as 
first order logic. If £ is less or equally expressive than # we should be able to express in $ 
everything that is expressible in £. We have seen before that, for BML, there exists a standard 
translation ST X from BML to first order logic. In general we define a formula translation as 
follows. 

Definition 3.1.2 (Formula translation). A formula translation is a function 



that translates formulas from the source language £ to the first-order language ^. This 
function is required to preserve conjunctions and disjunctions, that is, formally speaking: Let 
(^i, (f2 £ FORM(£) and E {A, V} then for every first-order formula of the form Tf x ((fi) 
Tfx(<^2) there exists an £- formula such that Tf x (tp) =$ Tf x (ipi) Tf x (ip2). 

As we saw before in the definition of BML's standard translation, in general, formula 
translations are defined homomorphically with respect to the boolean connectives. 



V= ((Pi)ielN,A,V,T,_L) 



Tf x : FORM(£) FORM(^) 



Tf x (<pi A ip 2 ) 
Tf x (ipi V <p 2 ) 



Tf x (<pi) A Tf 3.(^2) 
Tf x (<pi) VTf^a) 



3.1. Basic definitions 
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Definition 3.1.3 (Models). We will be working with source logics that are interpreted over 
variations of Kripke models. 1 We define MODS(£) to be the class of all models of the source 
logic and MODS (5) to be the class of all models of the target first-order logic. 

Sometimes we will use the notion of pointed models. A pointed model in the source logic £ 
is a model-world pair. We can see a pointed model as an £-model where the evaluation point 
has been fixed. We define the class of pointed models for the source logic as 

PMODS(£) = {(M,w) : M E MODS(£) and w E \M\} 

Similarly, in the target logic 5, we use Ai^g \= <p to note that a formula (p is true in the 
model M.f under the valuation (or assignment) g? A pointed model of the target logic # is 
a model-assignment pair. We can see a pointed model as an 3-model where the assignment 
function has been fixed. 

Definition 3.1.4 (x- assignment). Let be an $ model. An x-assignment for M.f is a 
function 

g : {x} -> \M f \ 

which assigns an element for the variable x. It can be seen as a finite valuation specialized to 
the variable x. 

We will use the concept of x-assignment to define the class of first order pointed models. 
This notion is a technical detail needed to make things work in Definition 3.1.6. The problem 
and solution will become clear after that definition. We define the class of pointed models for 
the target logic as 

PMODS(#) = {(M f ,g) : M f e MODS(#) and g is an x-assignment for M f } 

Observe that the formulas obtained through the translation defined in Definition 3.1.2 
have at most one free variable and that variable is x. Therefore, if we want to evaluate those 
formulas in a first order model , an x-assignment g is enough for M^g \= <p(x) to be well 
defined. 

Notation 3.1.5. Let (M f , g), (Af f ,h) e PMODS(£). We write M f ,g =$ Af f ,h to mean 
that for every first order formula a(x); A4^g \= a(x) if and only if Aff , h \= a(x). 

There's one more thing to be taken into account, formulas from £ and formulas from $ are 
not evaluated in the same models. The former are evaluated in Kripke models and the later 
are evaluated in first-order models. This is the reason why we are not yet able to compare <p 
with Tf x (tp). 

We can think of models as 'information bearers', they represent some information relative 
to the world in a way that is compatible with some logic. Therefore, the information is not in 
the model itself but somewhere else. We need to define some way to 'look at' this information 
from different perspectives, one compatible with the source logic £ and other compatible with 
the target logic Following the same line we define a model translation that 'converts' the 
information between the source and target logic. 

1 Even propositional logic can be thought of as a modal logic without modal operators and restricted to 
models with one single point. 

2 Observe that in this case g is a valuation and not a point of the domain. 
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Definition 3.1.6 (Model translation). Given a class of models K C PMODS(^), a model 
translation is a biyective function 

T K : PMODS(£) -> K 

We write T instead of Tk when the class of models is clear from the context. As an abuse of 
notation we use T(M) when we are not interested in the associated assignment and T (A? , g) 
for the preimage of (A^g). 

Returning to the need for x-assignments, note that if we allowed g to be a standard 
assignment (i.e. g : FVAR —> \ A4^\) in Definition 3.1.3 then for every pointed £-model (M,w) 
we would have many pointed 3-model {M^g%) where gi(x) — w and the assignment for the 
rest of the variables changes arbitrarily. Therefore, this could carry problems at the moment 
of satisfying the suryectivity requirement. 

As an exercise, suppose that the class of pointed models is defined with standard as- 
signments and try to define a model translation for BML. You will observe that there is a 
cardinality problem. 

When we proved the results for BML we did not use a model translation, at least not 
explicitly. On the other hand, this translation was implicitly present when we gave an in- 
formal way to 'look at' models from both a BML and a first order perspective. The model 
translation function will serve us in this task. We are now ready to set proper constraints on 
the translations. 

Definition 3.1.7 (Truth preserving pair of translations). A pair of translations (Tf x ,T) is 
said to be truth-preserving if for all ip G FORM(£) and all (M, w) G PMODS(£) 

M,w^^ if f T(M,w) \= Tf x (<p) 

Let's fix (Tfj;, Tk) as our pair of truth-preserving translations for the rest of the thesis. We 
will also want to translate formulas from £ to $ and then go back to ^-formulas. As we are 
not requiring Tf x to be injective this could lead to a problem. We make the following claim. 

Proposition 3.1.8. For any a, /3 such that Tf x (a) = Tf x ((3) we have ^£ a /3. 

Proof. Suppose that ^£ a f3, then we have a model M and a point w such that A4, w \= a 
and w \£ /3. Then by definition of truth-preservation of the translations we get T(M, w) \= Tf 
and T(M,w) tf= Tf x (P). Absurd. □ 

We will use this proposition to make a simplification. First define the equivalence relation 
ip ~ ^ iff ^£ ip ^ ijj. Regarding ^-formulas, we can always take the equivalence classes 
defined by the quotient set of £-formulas by ~ and for each class choose a representative to 
work with. 

To simplify the proofs in this thesis, and without loss of generality, we will assume that 
we are working with the set of formulas defined above. All of our proofs should also work 
with the original set of formulas but they would require excessive detours and justifications. 
In this setting we will be working up to formula equivalence and we will assume that our 
formula translation Tf x is injective. 
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Definition 3.1.9. Let K C MODS(£), M be an £-model and w G \M\. We define the theory 
of a pointed model, model and class of models as follows 



Given two £-pointed models (Ad, w) and (Af, v) we say that the pointed models are modally 
equivalent (noted M,w =£ Af,v) when J\\(M,w) = Th(Af,v). We say that two models 
(not pointed) are modally equivalent (noted Ad =£ Af) when Th(A4) = Th(AT). We write 
M,w E£ Af,v when J\\(M,w) C Th(A/» and Ad E£ Af when J\\(M) C Th(AA). All these 
definitions can be similarly defined for the target logic $ and we will assume them defined. 

The framework defined in this section will allow us to transfer results between the source 
and target logics. As an example we prove compactness for £ under some special closure 
conditions (which will be addressed later). 

Lemma 3.1.10 (£ is compact). If £ has a pair of truth-preserving translations (Tf x , T~k) and 
K is closed under ultraproducts then £ is compact. 

Proof. Let T be a set of £-formulas and suppose that any finite set of V is £-satisflable. We 
will show that T is £-satisflable. 

Take any finite Aj C Tf x (r), we want to see that it is satisfiable in K. As our formula 
translation is injective we have a set A C T such that A = Tf~ x (Aj). Observe that A is finite 
because Tf x is injective. By hypothesis there exists (Ad,w) such that Ad,w \= A because A 
is a finite subset of T. Hence, by truth-preservation, T(A4,w) \= Af and T(A4,w) E K. 

By Theorem A.l we conclude that there exists a model (J\ff,g) in the class K such that 
Aff \g \= Tf x (T). As the translations are truth preserving we get T (M^g) \= T. □ 

3.2 General model equivalence 

In Chapter 1 of this thesis we introduced the general idea of model equivalence and, in 
particular the notions of simulation and bisimulation for some specific logics (namely BML" 
and BML). We want the framework we are developing to be able to handle several types of 
model equivalence relations. 

Restricting ourselves to the definition of simulation and bisimulation we can see that, the 
latter can be seen as a special case of the first where there is a symmetrical atomic condition 
and a 'back' clause. Looking at their common properties we can say that they both agree in 
the following points: 

(i) They relate a point in one model with a point in the other model. Thus, given M. and 
Af, if Z is such relation then Z C \M\ x \Af\. 

(ii) They imply some kind of modal theory transfer. In the case of simulations, if wZv then 
AA,w C Af,v. On the other hand, bisimulations imply full modal equivalence: if wZv 
then M. w = Af, v. 



Th(7W,w) 
Jh(M) 
Th(K) 



{<p : M h ^} 

{ip : VM E K it holds that M |= ip} 
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3. The generalized framework 



(iii) For every (bi) simulation between M and A/", the models' structure doesn't change. That 
is why the notion of (bi) simulation always links points from AA to points of Af. We will 
have to make a small change here to be able to handle (bi) simulations in dynamic logics. 3 

Following this analysis, given a source logic £, we will give a meta- definition for model 
equivalence notions. That is, we will not define a relation but give the conditions that a valid 
model equivalence notion should satisfy. Any simulation or bisimulation relation satisfying 
the next definition fits into our framework. 

As an abuse of language, we call it £- simulation. We use this name because it reminds 
us of the properties that simulation relation defined for BML" satisfies but it is not the same. 
As it will be clear from the definition, we don't impose any structural constraint. 

Definition 3.2.1 (^-simulation) . Given two £ models AA and Af we define an ^-simulation 
to be a non-empty relation Z C PMODS(£) x PMODS(£) with the following constraint 

If (M, w)Z(Af, v) then M, w C £ A/> 

We write A4,w :±£ A/", v to indicate that there exists a simulation between w and v and 
AA zztg Af to indicate that there exists a point w E \A4\ such that A4,w Af,v for some 
v E \Af\. We write w zztg v when the models are clear from context. 

Note that the simulation definition for BML" satisfies the above definition with minor 
changes. The only difference is that we have to take into account the 'model' component of 
the simulation relation. It can be re-defined as follows. 

Example 3.2.2. A BML" simulation is a non-empty binary relation between pointed models 
such that whenever (A4,w)Z(Af,v) we have that: 

Atomic condition: If w E V M (p) then v E V^(p) for all p E PROP. 

Forth: if wR\w' ^ then there exists a point v r in Af such that vR2v' and (A4, w f )Z(Af, v f ). 

When thinking about BML's bisimulation, it may seem that this definition is missing some- 
thing. We know that if AA,w and Af,v are related by a bisimulation then A4,w = Af,v 
but the above definition only guarantees A4,w □ Af,v. Don't worry about that now, it will 
become clear in the next section that this condition is enough for what we need. Observe, 
also, that a bisimulation is a special case of Definition 3.2.1 where the relation is symmetric. 

We want to stress that this definition of £-simulation does not cover all possible types of 
model equivalences and it isn't suitable for all types of modal languages. One example where 
this notion is not adequate is when the language doesn't have disjuction nor negation. Let AA 
and Af be two models, the right notion of simulation for this language links sets of points from 
A4 to a point of Af. As we have defined our possible languages in Section 3.1 this will not be 
a problem because we always have disjunction in our source language. For more information 
about model theory on disjunct ion- free languages refer to [KdR97]. 



3 Logics where the modal operators may change the model. 



3.3. Saturation 
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3.3 Saturation 

We have seen that, in general, modal equivalence does not imply bisimilarity. It is also the 
case with BMLT's simulation that, in general A4,w z±N , v does not imply w □ A/", v. This 
problem recurs with most model equivalence notions found in the literature. 

We have stated that in the class of ^-saturated models, BML equivalence implies bisimu- 
lation. For this framework we need to define a similar notion which fits the logics we will be 
working with. Let's formally define the general condition that we're pursuing so we can focus 
on it. 

Definition 3.3.1 (Hennessy-Milner Property). Let K be a class of £-pointed models, we say 
that K has the Hennessy-Milner property if for every two £-models (A4,w) and (Af,v) in K, 
whenever M,w A/", v we have A4, w :±£ A/", v. 

This definition should be interpreted as the converse of the ^-simulation (Definition 3.2.1) 
requirement and will be the definition of Hennessy-Milner class used in our framework. 

Is this definition general enough to cover the cases we have been talking about? We know 
that if we fix £ as BML and the simulation relation as BML's bisimulation we have that 
A4,w =£ AA, v implies A4,w t±£ A/", v but the definition above seems to impose a stronger 
constraint. We only have M,w C£ AA, v as hypothesis and we should conclude the same 
thesis. We make the following statement that explains why there is no problem with this. 

Proposition 3.3.2. If £ has negation then M,w ^£ A/", v if and only if w =£ A/", v. 

As BML has negation, the seemingly weak hypothesis turns strong enough to prove the 
result in that particular case. The special case regarding saturation for BML is nicely covered 
in [BdRVOl]. 

Regarding cj-saturation, the definition given in Definition 1.4.4 is in terms of first order 
models. In that moment, as we were looking at BML and first order models as if they were 
the same, that gave us no problems. 

In this chapter we want to make an explicit differentiation between £-models and ^-models. 
To make our proofs simpler we choose the following definition for a;-saturated £-models. 

Definition 3.3.3. We say that an £-model M is uo-saturated if and only if T(M) is. 

For details on oj-saturation, classical results can be found in [CK90]. Also, in Marco 
Hollenberg's thesis [Hol98], he extensively investigates Hennessy-Milner classes. 
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4.1 Adequate pair 

In Chapter 3, while developing the framework, we explained the objectives we are pursuing 
when doing a generalization. In the following definition we will make explicit the requirements 
for the theorems in this chapter to hold for an arbitrary logic £ and with respect to a class 
of models K. 

Definition 4.1.1 (Adequate pair). A logic £ and a class of models K C PMODS(^) is said 
to be an adequate pair if they fulfill the following requirements 

1. K is closed under ultraproducts (Definition 4.1.2). 

2. There exist truth-preserving translations Tf x , T~k (Definition 3.1.7). 

3. There exists an ^-simulation notion (Definition 3.2.1). 

4. The class of cj-saturated £-models should have the Hennessy-Milner property with re- 
spect to ^-simulations (Definitions 1.4.4 and 3.3.1). 

We need to formally define the closure under ultraproducts and ultrapowers used above, 
as the ones given in Chapter 2 were specifically crafted for BML. 

Definition 4.1.2 (Closure under ultraproducts). A class K C MODS(#) is said to be closed 
under ultraproducts if, let Ad{ be a family of ^-models in K and let U be an ultrafllter, the 
ultraproduct Yljj M{ is also in K. A more sophisticated definition is needeed for first-order 
pointed models. 

A class K C PMODS(^) is said to be closed under ultraproducts if, let (M{ ,gi) be a family 
of ^-pointed models and let U be an ultrafllter. Let the Yl u M{ be the ultraproduct of the 
models then (Yljj>M{,g*) E K for every g* defined as g*(x) = \z.gi{x) for all x. 1 

Definition 4.1.3 (Closure under ultrapowers). A class K of ^-models is said to be closed 
under ultrapowers if it is closed under ultraproducts where every Ad{ is the same model. A 
similar definition can be given for pointed models. 

Why are we requiring K to be closed under ultraproducts? We could have asked for more, 
such as K being definable by a first order formula, which implies closure under ultraproducts. 
We could've also tried to impose no restriction over K. 

We decided to require K to be closed under ultraproducts because it is the weakest con- 
dition that lets us use the relativized version of the first order compactness theorem (stated 
and proved in the appendix as Theorem A.l). In particular, all first-order definable classes 
and the class of 'all models' will always fit in an adequate pair. 

1 For a formal definition of the lambda notation refer to [Bar85] . 
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4. Main Results 



The second item in Definition 4.1.1 makes sure that £ is less or equally expressive than 
first order and that there is some way to compare between the formulas and models of both 
logics. 

In the same way, the third item only asks for the definition of a simulation notion which 
is essential to develop the model theory of £. All the results will be stated in terms of that 
£-simulation notion. 

With enough practice, points one to three can be easily checked by just 'looking at' £. It 
is only when we get to the last item that we face the strongest requirement. This points says 
that the class of cj-saturated £-models should have the Hennessy-Milner property. 

In Chapter 2 we mentioned that the class of cj-saturated BML models had the Hennessy- 
Milner property with respect to BML bisimulations (although in that moment we didn't call 
it 'Hennessy-Milner' yet). The proof of that result makes a link between the semantics of 
BML and the structure of the BML bisimulation. Therefore, it makes use of the structural 
definition of the BML bisimulation. 

So far, given a logic £, we are looking at £-simulations as black boxes. All we know is 
that w :±£ v implies w E# v. We don't know which structural properties it imposes. This is 
the reason why we still need this item to be proved for the results to work. 

We think that there's still much work to be done to weaken this last requirement and we 
will give our opinion on directions for further work in the conclusions. 

4.2 Characterization 

One of the central notions in the characterization theorem for BML was that of bisimulation 
invariance. Recall that bisimulations are defined between BML models but the notion of 
bisimulation invariance is defined for first order formulas. 

Definition. A first order formula a(x) is invariant for BML bimulations if for all BML 
models M,N and w E v E \J\f\ such that A/f, w t±AA, v the following holds: 

M h ol(x)[w] iff h ol(x)[v]. 

When working with BML, this difference made no problem to us because we didn't really 
distinguish between BML and first order models. It is time for us to give an invariance 
definition that fits our framework and there is an important decision to be made. 

The property of 'invariance' is thought for first order formulas and the notion of £- 
simulation is defined between £ models. We have to options: The first one is to call a 
first order formula a(x) 'invariant for £-simulations' if, for every two £ models A4,w and 
AA, v such that M, w n>£ A/", v whenever a{x) holds in ~T(M 1 w) it should hold in T(AA, v). In 
this case we are 'mixing' the models through the translation. 

The other option is to 'lift' the £-simulation notion to # models and define a simulation 
relation — ^. In this case we could just say that a first order formula a(x) is 'invariant for £- 
simulations' if, for every two $ models g and A/^, h such that M^g A/^, h whenever 
a(x) holds in , g it should hold in A/^, h. 

The advantage of the first option is that there's no need for new definitions; in contrast, 
the second one would require a formalization for the 'lifting' to be defined along with the 
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model translation. On the other hand, it would be nice to be able to check two # models for 
'model equivalence' as we can do with £. 

In this thesis we choose the first option because it is the most direct one in this setting. 
Observe that, in particular, the first option can be seen as a special case of the second one 
when the following 'canonical lifting' is defined. 

M f ,g^M f ,h iff T\M f ,g)^zT\N f ,h) 

Again, the problem with this definition is that it bears no structural information regarding 
model equivalence between first order models. It is just another detour. 

Definition 4.2.1 (^-simulation K-invariance) . Let (£, K) be an adequate pair. A formula 
ql{x) of J 1 is K-invariant for ^-simulations if for all £-models A4,J\f and w E |A"f|,i> E |7V|: 
If M, w z*£ A/*, v and T(M, w) \= a(x) then T(AA, v) \= a(x). 

Before stating the characterization theorem let's see the importance and role of the class of 
models K in these definitions. What happens to formula equivalence when we change the class 
of models? As a motivating example we will work with a first-order formula (p = \/x.R(x : x) 
which holds in a model if and only if R is a reflexive relation. 

In the class of all models it is obvious that ^= (p (<p is not valid) because we can come up 
with some models where R is not reflexive. Given that "reflexivity" is not expressible in basic 
modal logic, we can conclude that tp is not equivalent to the translation of any basic modal 
formula. 

Definition 4.2.2 (K-equivalence). Let K C MODS(#) and <p,^ E FORM(#). We say that <p 
and ijj are K- equivalent if and only if |=k (p tp. 

Let's now restrict the class of models, let K be the class of reflexive models. Now |=k 
because it is valid in every model of the class. In this setting there is a basic modal formula 
whose translation is K-equivalent to (p. Take ip = T we have |=k ST x (ijj) <r¥ (p because 
|=K T f>(^. What happened here is that, restricting our class of models the number of valid 
formulas has grown and with them the number of "formulas equivalent to a translation" . 

Something similar occurs with £-simulation invariance. Again, we have seen that in the 
class of all models we can have two bisimilar models where one has a reflexive relation and 
the other doesn't. Therefore "reflexivity" is not invariant under bisimulations. 

If we change the class of models to the class of reflexive models we see that now the 
property becomes invariant over bisimulations. This happens because it is trivially invariant 
all over K. It is nice to observe that the concepts of invariance and equivalence are very 
closely related to each other when we change the class of models we are working with. 

Theorem 4.2.3 (Characterization). Given an adequate pair (£, K) then 

A formula a(x) of J 1 

is K-equivalent to the translation of an £-formula iff 
a(x) is K-invariant for £- simulations. 
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Left to right. Suppose a(x) is K-equivalent to the translation of an £- formula (p. We want 
to see that it is invariant over £- simulations. This is a consequence of the invariance of 
^-formulas over £- simulations. Suppose we have A4,w z±N,v and T(M,w) \= a(x) but 
T(AT,v) \/= a(x). As ol(x) <h> Tf x (ip) and the translations are truth-preserving it must 
hold that A4,w \= cp and Af,v \/= (p. But this is a contradiction because £- formulas are 
invariant under £-simulations and we have a simulation linking those points. □ 

Right to left. Suppose a(x) is K-invariant for £-simulations, we want to see that it is K- 
equivalent to the translation of an £-formula. Consider the following set of consecuences 

SLC(a) = {Tf x (<p) : ip is an £-formula and a{x) Tf x ((p)}. 

We will prove that if SLC(a) ol(x) we are done. 

Proposition 4.2.4. If SLC(o;) |=k ol{x) then a(x) is K-equivalent to the translation of an 
£-formula. 

Proof. Suppose SLC(a) Oi(x), by relative compactness (Theorem A.l) there is a finite set 
A C SLC(o;) such that A ol(x), therefore A ^ ~> a ( x )- Trivially (by definition) we 
have that ol(x) 4 /\A so we can conclude ol{x) <h> /\A. As every (3 E A is the 
translation of an £- formula and the translation preserves conjunction then f\ A is also the 
translation of some modal formula. □ 

Lemma 4.2.5. SLC(a) ol{x). 

Proof. Suppose that T(M,w) \= SLC(a). We have to show that T(A4,w) \= a(x). Define 
NTh^(x) as 

NTh^(x) = {^Tf x (<p) : ip is an £- formula and A4, w ^= <p} 

Observe that, if £ has negation then NTh w (x) will be the translation of w's modal theory and 
every model of NTh^(x) will be modally equivalent to w. If £ doesn't have negation we will 
only preserve formulas that are not true in w. This definition fits for both cases. Now define 
the set 

S(x) = {a(x)}UNJh w (x). 
We will see that has a model in K. 
Proposition 4.2.6. has model in K. 

Proof. Let's suppose that there is no model in K for T,(x) and use the contrapositive of 
Theorem A.l. We can conclude that there must be a finite subset {a(x), ->5i, . . . , ~^S n } C S(x) 
with -i5i E NTh w (x) which doesn't have model in K. Note that this set should include a(x), 
otherwise it would have a had model, namely T(M,w). 

Observe that, for every model A^ E K, as A^ \/= {ct(x), — ><5i , . . . , -*5 n } then A^ \= a(x) 
->(->5i A • • • A ->5 n ). This means that a(x) — >> (Si V • • • V 5 n ) is valid in K, therefore a{x) |=k 
5\ V- • • V8 n . If Si V • • • \/S n is a K-consecuence of a(x) then, as the formula translation preserves 
disjunction, 5\V — -V 5 n E SLC(a). But, as J(M,w) \= SLC(o;) then J(M,w) \= Si V- • -VS n . 
This is absurd because T(M,w) \/= Si for every i. □ 
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As is satisfiable in K we have a model Af and an element v such that T(Af, v) \= 
We make the following proposition. 

Proposition 4.2.7. Af, v M,w. 

Proof. Take the contrapositive. Suppose that A4,w \/= tp then -iTf x (tp) E NTh w (x) and 
because NTh^(x) C we can state that T(Af, I?) |= ->Tf x ((p) which implies that T(Af, v) \/= 
Tf x ((p). By truth-preservation of the translations we get Af, v \/= (p. □ 

We will need to link T(M,w) and T(Af,v) in a way that lets us transfer the validity of 
a(x) from the second model to the first one. The next lemma will come handy. 

Lemma 4.2.8 (Big Detour Lemma). Let a(x) E FORM^ 1 ) be £-bisimulation K-invariant, 
if Af, v □£ M, w and T(Af, v) \= a(x) then J(M,w) \= a(x). 

Proof. We define some names to avoid cumbersome notation in this proof. We add a subscript 
/ to the first-order translations of £ models, we add a superscript + to first-order saturated 
models and a superscript * to modal saturated models. 

Applying Theorem A. 3 to M, w and Af, v (with Mi = M 2 = MODS(£)) we build up new 
models. The theorem explicitly states the relationship among them, we will use this result to 
prove this lemma. Hereafter we will use the same notation as in Theorem A. 3. 

The following diagram helps to illustrate the actual situation along with the relationship 
between the various models. Think of it as a cube. The front face represents the models from 
the source language and the back face has the models from the first-order language. 



Nf,9v 



T 



M,w 



Af*,v* 




Fig. 4.1: Directions for the detour. 

With this new notation the Big Detour Lemma can be restated as follows: Let a(x) be 
an £-bisimulation K-invariant formula, if Af, v Ad, w and Aff, g v \= a(x) then AAj,g w |= 
a{x). 

Using a simple diagram chase argument we can see that, as Aff,g v \= a{x) and Af^,g^ 
is elementary equivalent to Aff,g v , then Aff,g^ \= a(x). Because a(x) is invariant under 
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£-simulations and AA*,i;* =>£ A^*,^* we know that M^g^ \= a(x). Again by elementary 
equivalence we conclude that Mf,g w \= a(x) which is what we wanted to prove. □ 

Applying this lemma to Ai,io and A/*, v and having transfered the validity of a(x) from 
T(Af,v) to T(A4,w) we can conclude that SLC(a) |= a(x). With this final affirmation we 
have just proved the right-to-left direction of the characterization result. 
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4.3 Definability 

The study of class definability is not new. There exist, for example, several results for first 
order logic regarding the definability of classes of models. In that case, a class of models that 
is definable by means of a set of first order formulas is called elementary and those that can 
be defined by means of a single formula are called basic elementary classes. 

To develop the theory of this section we will use a relativized version of the concept of 
first order definability. It is defined as follows. 

Definition 4.3.1 (C-elementary class). Let C C MODS (5). 

1. A class K C C is called C-elementary (noted C-ECa) if there exists a set of first order 
formulas T such that for all M f E C it occurs that M f \= T iff M f G K. 2 

2. A class K C C is called basic C-elementary (noted C-EC) if there exists a first order 
formula ip such that for all £ C it occurs that M f \= V iff M f e K. 

Definition 4.3.2 (Elementary class). Let K C MODS(#). 

1. K is called elementary (noted EC a) if it is C-elementary for C = MODS (5). 

2. K is called basic elementary (noted EC) if it is basic C-elementary for C = MODS(^). 

On the modal side, we will use pointed models for a smoother proof. We need some further 
definitions before stating the main theorem of this section. The concept of 'definability' in 
the source logic is given analogously to the one of the target logic. 

Definition 4.3.3 (Definability). A class M C PMODS(£) is said to be definable by a set of 
formulas if there exists a set V of £- formulas such that (Ai,w) £ M if and only if A4, w \=T. 

Definition 4.3.4 (Closure under simulations). A class M C PMODS(£) is said to be closed 
under simulations if, whenever (A4,w) E M, and (Af,v) is an £-pointed model such that 
M, w z±2 A/*, v then (A/*, v) e M. 

As in first order and BML, we distinguish between two types of classes. Those that can 
be defined by a set of formulas and those that can be defined by a single formula. Here we 
state the first theorem and then carry on with the second one. 

Theorem 4.3.5 (Definability by a set). Given an adequate pair (£, K) and a class of pointed 
models M C PMODS(£), the following are equivalent 

(i) M is definable by a set of £-formulas. 

(ii) M is closed under £-simulations, T(M) is closed under ultraproducts and T(M) is closed 
under ultrapowers. 

From i to ii. Suppose that M is defined by the set T of £-formulas. 

2 A C-ECa class can be seen as the intersection of C-EC classes. The A in the notation comes from the 
german word Durchschnitt which means 'cross-section' and makes reference to this fact. 
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1. Suppose now that there is a model (M, «;) E M such that M, w z^Af^vior some pointed 
model Af,v. As (A4,w) £ M it must occur that A4,w \=T. By simulation preservation 
we have Af, v \= T therefore (J\f,v) E M. Therefore M is closed under ^-simulations. 

2. To see that T(M) is closed under ultraproducts take a family of models (Ad{ , gi) E T(M). 
Because every M{,Qi is in T(M) we have that M{,gi \= Tf x (T) for all i. Let = 
Y\ d M{ be an ultraproduct of those models, by [CK90, Theorem 4.1.9] we have that 
M f ,g* h Tf x (r) for g*(x) = Xz.g^x). Therefore (M f ,g*) E T(M). Thus, the class is 
closed under ultraproducts. 3 

3. We still have to check that T(M) is closed under ultrapowers. Take (M^g) E T(M), 
by definition M f ,g ^ Tf x (r). Let M.{ = U D M f be an ultrapower of M f , by [CK90, 
Corollary 4.1.10] the ultrapower is elementary equivalent to the original model. Hence, 
let h(x) — Xz.g(x) be the canonical mapping, Ml,h \L Tf x (r). This means that 
(Ml, h) E T(M) and therefore the class is closed under ultrapowers. □ 

From ii to i. Suppose M is closed under £-simulations, T(M) is closed under ultraproducts 
and T(M) is closed under ultrapowers. Define the set T = Th(M). Trivially M |= T, we still 
have to show that if M, w \=F then (M,w) E M. Define the following set 

NJh w (x) = {->Tf x (<p) : <p is an £- formula and M, w ^ <p} 

Let's see that NTh^(x) is finitely satisflable in T(M). Suppose not, there is a finite subset 
Sq C NTh^(x) such that Sq = {^cri, • • • , ^o~ n } is not satisflable in T(M). That means that 
the formula = ->(->cri A ••• A ~^a n ) is valid in T(M). Observe that is equivalent to 
^ — o\ V • • • V o n . As the formula translation preserves disjunction and truth there exists an 
£-formula -0* such that ^ Tf x (^*). Hence Tf^*) is valid in T(M) and therefore 0* E I\ 
This is absurd because it is obvious that A4,w \/= 0* and by hipothesis A4,w \=T. 

Having proved that every subset of NTh^(x) is satisflable, by relative compactness, there 
is a model (A/*, v) E M such that T(A/", v) \= NTh^(x). We have already proved (in Proposition 
4.2.7) that these models satisfy A/", v ^£ w. 

Suppose that (M,w) E M, using Theorem A. 3 (with Mi = M and M2 = M) we can 
conclude that there exist models (Af*^*) E M and (M*,w*) E M such that Af*,v* z±£ 
A4*,w*. As M is closed under simulations then (M,w) E M. Absurd, therefore (M,w) must 
be in M. □ 

Notation 4.3.6. Let (M f ,g), (N f , h) E PMODS(#) we write M f ,g = N j \ h to mean that 
there exists a potential isomorphism / between A4^ and Aff such that (a) 1(b) where a = g(x) 
and b — h{x). That is, there is a potential isomorphism that links the elements assigned by 
g and h. 

Definition 4.3.7 (C-closure under potential isomorphisms). Let C C MODS(^). A class 
K C C is C-closed under potential isomorphisms if for every A4? E K and Aff E C such that 
M f ^ Af f then Af f E K. 



3 This application is a corollary of The Fundamental Theorem of Ultraproducts. This same application can 
be seen in the proof of Theorem's 4.1.12 in the same book. 
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The definition for pointed models is similar. Let C C PMODS(^). A class K C C is 
C-closed under potential isomorphisms if for every (M^g) E K and (J\ff,h) E C such that 
M^g = N f , h then , h) E K. 

Lemma 4.3.8. Let M C PMODS(£). If M is closed under £-simulations and both T K (M) 
and T~k(M) are closed under ultrapowers then Tk(M) and Tk(M) are K-closed under potential 
isomorphisms. 

Proof for T (M) . Suppose that T(M) is not K-closed under potential isomorphisms. This 
means that there exist models (M f , g) E T(M) and (fsff , h) E T(M) such that M f ,g = M f , h. 
Recall that K\T(M) = T(M). For a smoother proof, call their modal counterparts A4. w and 
A/", v respectively. Therefore (M,w) E M and (Af,v) £ M. 

As M f ,g = Af f ,h we know by [CK90, Proposition 2.4.4] that M f ,g \= <p(x) if and 
only if Aff,h \= <p(x). In particular they have the same modal theory, A4,w =£ J\f,v. As 
this implies that M,w A/", v we can use Theorem A. 3 (instantiating with Ki = T(M), 
K 2 = T(M) and M, M interchanged) and get models (M*,w*) E M and (AA*,i;*) E M such 
that M*,w* z±z Af*,v*. 

Knowing that w* ^£ AA*, v* and that M is closed under simulations we conclude that 
(AA*,i;*) E M. This is absurd because it contradicts (AA*,i;*) E M. Hence T K (M) is K-closed 
under potential isomorphisms. □ 

Proof for T "(M) . To see that T(M) is K-closed under potential isomorphisms we argue by 
contradicction. Suppose not, then there exist (M^g) E T(M) and (Aff,h) E K \ T(M) such 
that M f ,g = Af f ,h. As (Af^h) E K \ T(M) this means that (Af^h) E T(M). We have 
just proved that T(M) is K-closed under potential isomorphism then, as M^g = ,h, we 
conclude that (A4^g) E T(M) which contradicts our hypothesis. 4 Absurd. □ 

Theorem 4.3.9 (Definability by a single formula). Given an adequate pair (£, K), and a 
class of models M C MODS(£), the following are equivalent 

(i) . M is definable by a single £- formula. 

(ii) . M is closed under £-simulations and both T(M) and T(M) are closed under ultraprod- 

ucts. 

From i to ii. Suppose M is definable by a single £- formula ip. 

1. Let's see that T(M) and T(M) are closed under ultraproducts. Recall that M is definable 
by a single £- formula (p. Take the class of first order models defined by Tf x (<p) and call 
it M e . Observe that M e can be expressed as the disjunct union M e = T(M) U M / 
between the translation of M and some other models that do not fall in K. Therefore 
T(M) = IVFnK = MODS^Tf^ ((/?)) n K. The following diagram helps illustrate the 
different classes. The box represents the class of all $ models, K is the class with an 
irregular border and M e is the oval. 



4 Here we use the symmetry of the potential isomorphism relation. 
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4. Main Results 




Using Theorem 4.3.5, as M is denned by the singleton set T = {(/?}, T(M) is closed under 
ultraproducts. To see that T(M) is closed under ultraproducts proceed as follows. 

(a) As K is closed under ultraproducts then, any ultraproduct from K must reside in K. 
In particular, any ultraproduct from T(M) must reside in K. 

(b) As M e is defined by ->Tf x ((/?), it is closed under ultraproducts [CK90, Corollary 
6.1.16]. This means that any ultraproduct from M e must reside in M e , in particular, 
any ultraproduct from T(M) must reside in M e . 

From (a) and (b) we can conclude that any ultraproduct from T(M) must be in KnM e = 
T(M). 

2. Using Theorem 4.3.5, as M is defined by the singleton set T = {ip} we can be sure that 
M is closed under £-simulations. □ 

From ii to i. Suppose that M is closed under £-simulations and both T(M) and T(M) are 
closed under ultraproducts. Using Theorem 4.3.5 we have a set of formulas T defining M. By 
Lemma 4.3.8 T(M) and T(M) are K-closed under potential isomorphisms. Now we use the 
relativized version of first order's definability result, Theorem A. 2, and conclude that there 
is a first order formula a(x) such that for every (M^g) E K; M^g \= a(x) if and only if 

(Mf.u) eJ[M). 

As M is closed under ^-simulations then a is K-invariant for ^-simulations. Using the 
Characterization Theorem (Theorem 4.2.3) we can conclude that a(x) is K-equivalent to the 
translation of a modal formula (p. Therefore there exists ip that defines M. □ 



5. APPLICATIONS 



In this chapter we will use the results that we have developed in the previous chapters and 
derive the characterization and definability theorems for particular cases of modal logics. 

5.1 Memory Logics 

Memory logics are a novel family of modal logics introduced in [AFFM08]. They allow to 
model dynamic behavior through explicit memory operators that change the evaluating struc- 
ture. This proposal introduces a framework for studying the notion of state in a more general 
way, without bounding the analysis to any fixed domain (like knowledge change, time flow, 
linguistics contexts, etc.). Most of the work that has been done in this direction implicitly 
adds some specific native behavior in the "dynamic component" . The approach presented in 
this paper wants to study some of the dynamic capabilities of the above mentioned approaches 
from a more abstract point of view, and analyze the different aspects of this family in terms 
of logic properties. 

This family of logics present several "memory operators" that can be considered modularly. 
We first present the syntax, signature and models for a broad set of operators and then analyze 
different possible combinations which form interesting logics. 

It is important to note that there are no Characterization and Definability results known 
for this family of logics at this moment. Therefore, the results obtained through the use of 
the framework that we've developed will be original. We present the results for the unimodal 
case but it can be easily generalized for the multi-modal case. 

Definition 5.1.1 (Signatures). Let PROP = jjpi,£>2, • • • } (the propositional symbols) be a 
countable infinite set of symbols and REL = {r} (the relational symbols) be disjoint. The 
source signature is defined to be S = (prop, rel). 

Let FPROP = {Pi, P25 • • • } (the propositional predicates) and FREL = {R} (the relational 
predicates) The target first-order signature is defined to be T = (fprop U FREL, 0, 0) with 
equality. 

Definition 5.1.2 (Syntax). The syntax of the Memory Logics family over a given signa- 
ture (prop, rel) is defined as an extension of the propositional calculus with the following 
operators: 

(p ::= • • • I ® I ®(p I ®p I (Dp I (r)<p \ ((r))<p 

where r E REL. We define the dual of ((r)) in the usual way: for all r E REL, [r]<p can be 
defined as -i((r))-i<p. We usually call these operators 'known', 'remember', 'erase', 'forget' and 
'double diamond'. Every logic of this family will be required to have at least the ® and (£) 
operators and can have any combination of the other operators. 

Observe that, defined this way, in the family of memory logics one has two types of 
diamonds: the 'single' diamond of BML and the 'double diamond'. The semantic of the first 
is defined as usual and the later will be defined shortly. 
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5. Applications 



The family of memory logics that we will be working with are all evaluated in an extension 
of Kripke models with a set that we call the 'memory' of the model. It is defined as follows, 
along with its first-order equivalent. 

Definition 5.1.3 (Models). A model for the source language over the signature S is a tuple 
M = (W, R, V, S) satisfying 

(i) W is a nonempty set, 

(ii) R C W x W is a binary relation over W, 

(iii) V : PROP — » V (W) is a valuation function, and 

(iv) S C W is the memory of the model. 

An $ -model for the target language is a tuple A4 l = (W 1 , R f , (P/)zgfprop 5 K) where 

(i) W l is a nonempty set, 

(ii) K CW, 

(iii) R t C W t x W t is a binary relation over W t , and 

(iv) (P/)ieFPROp are unary relations over W^. 

Notation 5.1.4. In the rest of this section the following notation will be useful. Let M = 
(W, i?, V, 5) be a model, w E W, and S" C W then we define 

M[+w] = (W,R,V,Su{w}) 

M[-w] = (W,R,V,S\{wj) 

M[+S'} = (W,R,V,SUS f ) 

M[-S'\ = {W,R,V,S\S f ) 

M[*} = (W,i?,y,0). 

We usually write M [w] instead of M [+w] . 

Definition 5.1.5 (Semantics). Given a model M = (W, i?, V, 5) and w E W, we extend the 
propositional part of the semantics presented in Definition 1.2.4 with the following rules: 

M,w^® iff weS 

M, w \= ®(f iff M [w] , W |= (p 

M,w\=^p iff .A/f w |= cp 

M,w^@(p iff .M [*] , u; |= 

./W, w \= (r)(p iff 3it/ E W, wifa/ and .M, w f \= (p. 

M, w \= {{r))(p iff 3w f E W, wRw' and A^w], u/ \= (p. 

Observe that the double diamond acts as a normal diamond but it always remembers the 
current state before moving. Hence, it can be thought as if the formula were leaving a trace 
while being evaluated in the model. 
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Definition 5.1.6 (Formula translation). We will not give an explicit translation for these 
logics, as we will not use it explicitly. We know there exists a translation to 3= because, 
in [AFFM08], there is an explicit translation from memory logics to Ti£ and there is a trans- 
lation from %C to 3= given in [BvBW06]. This translation preserves both conjunction and 
disjunction as needed. Let's call it Tf x : FORM(S) H> FORM(T). 

Definition 5.1.7 (Model translation). Let K be the class of all models for the signature 
T. Let M = (W,R,V,S) and AA l = (W\R\(Pt) zgfprop5^0- Define the model translation 
Tk(M,w) = (M 1 ^ 1 ) to be the function induced by the following equations 

W t = W 
Pi = V(pi) 
K = S 
R l = R 
g\x) w 

The simulation notion for a logic of this family allows a very modular definition. Let ~ be 
a binary relation between memory pointed models. So ~ relates tuples (A4, m) with (A/", n). 

A simulation for a memory logic £ can be defined imposing restrictions to ~ depending 
on the operators that £ has. In the following table we summarize the restrictions associated 
with each operator. We write S M to refer to the memory of the model Ad. R^ is used to 
denote a relation in A4 and R% is used to denote a relation in Af. 



always 


(nontriv) 


~ is not empty. 


always 


(agree) 


If (A4, m) ~ (A/", n), then m and n make the same prepositional 
variables true. 


® 


(kagree) 


If (M,m)~ (Af, n), then m G S M if and only if n G S M . 


® 


(remember) 


If (M,m) rsj (Af,n), then (M[m],m) ~ (Af[n],n). 




(forget) 


If (M,m) ~ (A/*,n), then (M[-m],m) ~ (Af[—n],n). 


® 


(erase) 


If {M,m)~ (A/», then (M[*],m) - (Af[*],n). 


(r) 


(forth) 
(back) 


If (A4,ra) ~ (Af,n) and Rj.(m,m f ), then there exists n' G A/" 
such that Rl(n,n') and (M,m') ~ (Af,n f ). 
If (A4,m) ~ (Af,n) and R^(n,n'), then there exists ra' G A4 
such that R),(m,m') and (M,m r ) ~ (Af,n r ). 


«r» 


(mforth) 
(mback) 


If (A4,m) ~ (Af,n) and Rj.(m,m f ), then there exists n' G A/" 
such that R%(n,n f ) and (A^ra],™') ~ (A/*[n], n'). 

If (A4,m) ~ (Af,n) and R^(n : n f ) : then there exists ra' G A"f 
such that i2*(ra, ra') and (A/f[ra],ra') ~ (A/"[n],n'). 



Fig. 5.1: Operator restrictions for a modular memory simulation definition. 



Definition 5.1.8 (Memory simulation). From now on, given a memory logic £, we will refer 
as 'the simulation for £' to the simulation defined by the sum of the necessary conditions of 
Figure 5.1 for the operators in £. 
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5. Applications 



Observe that, as every memory logic has negation, the simulation notion for memory 
logics will be symmetrical. Therefore we will use the bisimulation symbol t± to note memory 
simulations. 

Example 5.1.9. To give some examples of possible memory logics we cite the following ones 
which are named in [Mer09]. 



It is clear from the satisfaction definition of each operator that these logics have different 
capabilities. A detailed insight on the expressive power of these logics can be found in the 
aforementioned PhD. thesis. 

Theorem 5.1.10. Let £ be a memory logic, let (M,w) and (Af,v) be two memory models. 
If (M,w) £fe (A/» then (M,w) = £ (A/». 

Proof. Part of the proof can be found in [Mer09], it can be easily extended to he full set of 
operators. We will not present this proof here as it exceeds the focus of this thesis. □ 

Before starting with the proof of the main theorem of this section we will prove some 
lemmas that will be useful. The model may change during the evaluation of a formula. For 
our special case, it will be enough to prove that adding a state to the memory preserves 
cj-saturation. 

Lemma 5.1.11. If M is cj-saturated then ,M[+A] is cj-saturated too for all finite A C \M\. 

Proof. The proof of this lemma can be found in [Mer09, Lemma 5.2.2]. □ 

Lemma 5.1.12. Let M = (W, i?, . . .) be a cj-saturated Kripke model whose translation 
preserves the structure of the domain and the relations, that is, T(M) = (W, i?, . . .) where 
RCW xW. 

Let S be a set of modal formulas and w E W. If every finite subset ACS satisfies 
A4,va \= A where v& is an i?-successor of w then there exists v, an i?-successor of w. such 
that M,v \= S. 

Proof. Recall that the definition of cj-saturation lets us extend the first order language with 
a constant a for each element a <EW. Define H* = {Rwx} U Tf x (E). 

If we show that S* is satisfiable in some pointed model T(M,v) it is clear that S will be 
satisflable in a successor of w. This is because the domain and relations of M. and T(Ai) are 
the same and if T(M) \= Rwx[a] this means that a is a successor of w. The rest of the proof 
will focus on proving that X* is satisflable in the pointed model T(M,v). 



MC({r)) 



{®,®,((r))} 



MC(((r))) 
MC({r),®) 

MC(((r)),®) 
M£«r),@) 

MC(((r)),©) 



{©,®,©, (r)} 
{©,®,©,«r»} 
{©,©,©, (r)} 
{©,®,(i),((r})} 
{©,©,©,©, (r)} 
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Take a finite subset So C S*. Observe that this set should satisfy the following inclusion 
Eo Q {Rwx, <ti, . . . , o~ n } with G{ e Tf^(S). Therefore, if we show that this bigger set is 
satisfiable, it will also be the case with Eq. 

By hypothesis, every finite subset of E is satisfiable in a successor of w. Take the finite 
subset A such that Tf^(A) = {<ti, . . . , cr n }. This A is satisfiable in some successor v/\ which 
means that R(w,va)- We can conclude that T(A4,va) \= Rwx and T(A4,v/\) \= Tf^(A). 

We have taken an arbitrary finite subset of E* and shown that it is satisfiable. By uj- 
saturation we can conclude that the set E* is also satisfiable. □ 

To be able to derive the characterization and definability results using the framework 
developed in the previous chapters we need to prove that, for every memory logic £, the class 
of cj-saturated models has the Hennessy-Milner property with respect to £-simulations. Each 
logic will have its own definition of simulation with the proper restrictions listed above. 

As we want to consider all the possible logics from the family of memory logics we will 
need to prove that, given two models (M,w) and (Af,v) such that (M,w) =£ (J\f,v) we 
can construct an ^-simulation between them. We will do this by considering every possible 
operator and show that we can construct a simulation that satisfies the constraints associated 
for that operator. 

Theorem 5.1.13. Let £ be a memory logic, the class of cj-saturated models has the Hennessy- 
Milner property with respect to £-simulations. 

Proof. Given two cj-saturated models M, M it suffices to give an £-simulation between them. 
We propose the binary relation ~ defined as 

(M,w) ~ {Af,v) iff M,w =^J\f,v 

Suppose that (M,w) ~ {N,v). We first show that this relation satisfies the (nontriv) and 
(agree) restrictions which apply for every combination of operators, then we will undertake 
the proof for each special operator. 

Basic restrictions. We can see that if we are given two equivalent worlds in two different 
models then, by definition, the relation will have at least one element and therefore (nontriv) 
will be satisfied. Also, the definition of the relation implies that w and v make true the same 
propositional variables and therefore (agree) is satisfied. 

Restrictions for (g). We need to show that w is known in M if and only if v is known in 
J\f. The proof goes through easily using the satisfaction definition of the known operator 

we S M ^ M,w h ® A/> |=® ^ dgS^. 

The first and last implications are because of the semantics of (E), the implication in the middle 
is because of £-equivalence between w and v. This proves that (kagree) is satisfied. 
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5. Applications 



Restrictions for ©. As we suppose that (M,w) ~ (J\f,v) then for every tp we have 

M,w\=<p J\f^ v ^(p 
so, given a formula rp we can instantiate the equivalence and get 

M, w \= ©0 J\[, v \= ©0 

which by satisfaction definition holds precisely when 

M[+w],w\=i/; Af[+v],v \=i/; 

that means that those two states are equivalent and we can conclude (by def. of ~) that 

(M[w],w) ~ (Af[v],v) 
This proves that (remember) is satisfied. 

Restrictions for ©. As in the last paragraph, for every (p we have 

M,w\=ip j\f iV ^(p 
so, given a formula ip we can instantiate the equivalence and get 

M, w \= ©0 N, v \= ©0 

which by satisfaction definition holds precisely when 

M[—w],w\=il) <=^> Af[—v],v\=i/j 
that means that those two states are equivalent and we can conclude (by def. of ~) that 

(M[-w],w) ~ (Af[-v],v) 
This proves that (forget) is satisfied. 

Restrictions for ©. We proceed as usual, for every tp we have 

M,w\=<p TV, ^ h ^ 

so, given a formula -0 we can instantiate the equivalence and get 

M. w \= ©0 Af, v \= ©0 

which by satisfaction definition holds precisely when 

M[*],w\=ip J\f[*],v\=ip 
that means that those two states are equivalent and we can conclude (by def. of ~) that 

(M[*],w) ~ 

This proves that (erase) is satisfied. 
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Restrictions for (r). As we have (M,w) ~ (A/*, v) then M,w = A/", v. Suppose that w' 
is a successor of Let S be the set of all the formulas true at A4,w f . For every finite 
subset A C S we have M^w' |= /\ A and therefore A4,w \= 0/\ A. By £-equi valence we 
have A/", v |= O f\ A which means that for every A we have a i>-succesor which satisfies it. By 
Lemma 5.1.12 we can conclude that there exists v' a i;-succesor so that A/*, v' \= E. 

As M,w f and N,v f make the same formulas true then they are ^-equivalent and by 
definition they will be related by the simulation. We conclude that (M,w f ) ~ (Af,v f ). This 
proves that (forth) is satisfied. The proof for (back) is similar but switching the models. 

An alternative proof of this lemma, which uses a notion called m-saturation, can be found 
in [BdRVOl]. 

Restrictions for ((r)). As we have (A4,w) ~ (Af,v) then for every ip we have 

M,w\=ip <=> J\f,v\=(p 

therefore if, given an arbitrary ip we instantiate tp = @ip we get 1 

M,m\=®^ ^=> AA,n^©^ 

which, by satisfaction definition holds exactly when 

M[m\,m\=il; Af[n],n\=i/j (5.1) 

Observe that equation 5.1 implies that M[m],m =£ A/"[n],n. Using Lemma 5.1.11 we also 
know that (A4[m],m) and (A/"[n],n) are both cj-saturated. 

Suppose that w f is a successor of w. Let E be the set of all the formulas true at M[w], w f . 
For every finite subset A C E we have M[w],w' \= /\ A and therefore A4[w],w \= ((r)) A^- 
By ^-equivalence we have Af[v],v \= ((r)) f\ A which means that for every A we have a v- 
succesor which satisfies it. By Lemma 5.1.12 we can conclude that there exists v' a i;-succesor 
so that N[v\,v' |= S. 

As M[w],w' and J\f[n\,v' make the same formulas true then they are ^-equivalent and 
by definition they will be related by the simulation. This proves that (mforth) is satisfied 
because (M[w],w f ) ~ (Af[v],v f ). The proof for (mback) is similar but switching the models. 

After analyzing all the possible operators we have shown that, for every case, the £- 
simulation relation will satisfied the required constraints. This proves that given two uj- 
saturated ^-equivalent models we are able to construct an ^-simulation between them. There- 
fore, the cj-saturated class of models has the Hennessy-Milner property with respect to £- 
simulations. □ 

Corollary 5.1.14. The definitions given above, along with Theorem 5.1.13, prove that the 
pair (£, K) is an adequate pair for every memory logic £. Therefore, the Characterization 
and Definability theorems (4.2.3, 4.3.5 and 4.3.9) hold for this family of logics. In particular, 
these theorems hold for the logics in Example 5.1.9. 



1 We can use 'remember' here because we required that every memory logic should have it. Without this 
requirement we would've been able to use only ((r)). 
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5. Applications 



5.2 Hybrid Logics 

Hybrid Logics augment modal logics with machinery for describing and reasoning about iden- 
tity, which is a crucial in many settings. The notion of identity comes with the introduction 
of 'nominals' and operators to reason about them. In spirit, nominals work mostly as propo- 
sitional variables but they have the particularity of being true in at most one point. We start 
by defining the signatures for these logics. 

Definition 5.2.1 (Signatures). Let PROP = {pi,P2, • • • } (the propositional symbols), NOM = 
{ii, Z2, • • • } (the nominal symbols) and REL = {ri, • • • } (the relational symbols) be disjoint, 
countable infinite sets of symbols. The source signature is defined to be S = (prop, REL, nom). 

Let FPROP = {Pi, P2? • • • } (the propositional predicates), FREL = {Ri, R2, • • • } (the rela- 
tional predicates) and FCONST = {ci, C2, . . . } (the constants). The target first-order signature 
is defined to be T = (fprop U frel, fconst, 0) with equality. 

In this thesis we will (re) prove the characterization and definability theorem for a small 
family of hybrid logics. We will only consider the cases which extend BML with nominals 
and possibly the @ operator. There exist other hybrid important logics such as, for example, 
the ones which include the downarrow binder I. Results for these logics are nicely developed 
in [BvBW06, Chapter 12]. 

Definition 5.2.2 (Syntax). The syntax of the Hybrid Logic family over a given signature 
(prop, REL, nom) is defined as an extension of the propositional calculus with the following 
operators: 

(f ::= • • • I i I @i(p I (r)(f 

where i E NOM and r E REL. We define the dual of (r) in the usual way. 
Definition 5.2.3 (Models). A hybrid model for the source language is a tuple 

M = (W, (R r ) v,G) 

which satisfies 

(i) W is a nonempty set, 

(ii) R r C W x W are binary relations over W, 

(iii) V : PROP —> V (W) is a valuation function, and 

(iv) G : NOM — » W is an assignment for the nominals. 2 

An $-model for the target language is a tuple 

rGFREL 1 (Pi) 

2GFPROP 1 IWhGFCONST/ 

which satisfies 

2 In the literature one can find an equivalent definition where V : prop U nom — >• V (W) and G doesn't exist. 
In this case we should add V(i) — |1| for all i E nom as a restriction. It is easy to see that this two definitions 
are equivalent. 
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(i) W l is a nonempty set, 

(ii) C W t x W t are binary relations over W 1 , 

(iii) (P/)ieFPROp are unary relations over W l : , and 

(iv) c\ are constants. 

Definition 5.2.4 (Semantics). Given a model M = (W,R,V,G) and w G W, we extend the 
semantics presented in Definition 1.2.4 (BML semantics) with the following rules: 



M,w \=i 
M,w |= @^ 



iff 
iff 



w — i 



Observe that the satisfaction definition for the nominals acts as an identity checker and 
the ©-operator lets us 'jump' to an identified world. 

Definition 5.2.5 (Formula translation). A formula translation that meets our requirements 
is given in [BdRVOl, BvBW06]. We will not give the explicit definition because we will not 
need to use it. 

Definition 5.2.6 (Model translation). Let K be the class of all first order models over the 
target signature T. Let M = (W, (i? r )rGREL, V, G) and 

M t = (W*, (-R*)rGFREL5 (Pi)ieFPROPi ( C i)iGFCONST) • 



Define the model translation Tk(A^, w) 
equations 

W l - 

4 = 
Rt = 



(A1*, p*) to be the function induced by the following 



W 



V(pi) for pi e PROP 
G(i) for i e nom 

i? 7 ; 



As with memory logics, the small family of hybrid logics that we will analyze also allows 
a modular simulation definition. Let ^ be a binary relation between hybrid pointed models. 
A simulation for a hybrid logic £ can be denned imposing restrictions to ~ depending on the 
operators that £ has. It is important to stress that every hybrid logic should have nominals. 
In the following table we summarize the restrictions associated with each operator. We write 
G\ for the nominal assignment of M and G2 for the nominal assignment of A/*. 



nominals 


(nagree) 


If (A^,m) ~ (A/*, n), then G\(i) = m if and only if 
G 2 (i) = n for all i e NOM. 


@ 


(nom) 


If G\(i) = w and = v f° r some z G NOM then 



Fig. 5.2: Operator restrictions for a modular hybrid simulation definition. 
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Definition 5.2.7 (Hybrid simulation). From now on, given a hybrid logic £, we will refer 
as 'the simulation for £' to the simulation defined by the sum of the necessary conditions of 
Figure 5.2 for the operators in £ and the (nontriv) and (agree). 

Theorem 5.2.8. Let £ be a hybrid logic defined as in Definition 5.2.2, let (M, w) and (A/", v) 
be two hybrid models. If (M,w) t±£ (Af,v) then (M,w) =£ (Af,v). 

Proof. The proof of this theorem can be found in [BvBW06]. □ 

In the following theorem we will prove that the a;-saturated class of models has the 
Hennessy-Milner property with respect to the simulations for the following hybrid logics. 

T-LC = {nominals, (r)} 
HC(@) = {nominals, (r) , @} 

We will achieve this by showning that, given two equivalent pointed hybrid models, we can 
construct a simulation between them. 

Theorem 5.2.9. Let £ be a hybrid logic as in Definition 5.2.2, the class of cj-saturated 
models has the Hennessy-Milner property with respect to £- simulations. 

Proof. Given two cj-saturated models Ai, Af it suffices to give an £-simulation between them. 
We propose the binary relation ~ defined as 

(M,w) ~ (Af,v) iff M,w =£ Af, v 

Suppose that (M,w) ~ (J\f,v). The proof for the (nontriv), (agree), (forth) and (back) 
restrictions are the same as for memory logics (see Theorem 5.1.13). We prove the restrictions 
for nominals and the @ operator. 

Restrictions for nominals. This proof goes through using the satisfaction definition for 
the nominals. Remember that the nominals can only be true in one world. 

G M (i)=w M, w h i N.v^i ^ G M (i) = v 

the first and last implications are because of the semantics of nominal satisfaction and the 
implication in the middle is because of the £-equivalence between (M,w) and (Af,v). 

Restrictions for @. Suppose that G\(i) = w and = v. As the relation is non-empty 

we can always get two equivalent worlds a e \M\ and b E \Af\. Then we have 

M,a \= (f iff A/*, b \= Lp 

for all (p. Given an arbitrary formula ij) we can instantiate cp = @^ thus obtaining 

M,a h iff A/", b \= @^ 

which by semantic definition means that 

M,Gi{i) |= if; iff Af, G 2 (i) \=i/>. 
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By hypothesis we can replace G\(i) and an d get 

M,w \= i\) iff N, v \= i/j 

therefore M,w =£ N,v and by definition (.M, w) ~ (A/", u). 

After analyzing all the possible operators we have shown that, for every case, the £- 
simulation relation will satisfy the required constraints. This proves that given two uj- 
saturated ^-equivalent models we are able to construct an ^-simulation between them. There- 
fore, the cj-saturated class of models has the Hennessy-Milner property with respect to £- 
simulations. □ 

Corollary 5.2.10. The definitions given above, along with Theorem 5.2.9, prove that the 
pair (£, K) is an adequate pair for every hybrid logic £. Therefore, the Characterization and 
Definability theorems (4.2.3, 4.3.5 and 4.3.9) hold for this family of logics. 



6. CONCLUSIONS AND FURTHER WORK 



When developing a notion of simulation for a given logic £ we need to be sure that we end up 
with the adequate notion. This means that it should exactly characterize model equivalence. 
If we prove that 

If (M,w) ~£ (Af, v) then M,w E £ AT, v (6.1) 

we have the half of the work done but the notion could still be wrong. Suppose that, for 
example, we say that the right notion of simulation for BML" is the bisimulation notion of 
BML. It is obvious that we will be able to prove (6.1) but we are not working with the right 
notion of simulation: is is too strong for BML". 

In the process of finding the right simulation notion, candidates are often checked 'against' 
finite or finitely branching models. In those cases, one expects to be able to prove the converse 
of (6.1). As we have seen, these classes of models are special cases of cj-saturated models. In 
the development of this thesis we arrive to the conclusion that if we can prove the converse 
of (6.1) for any cj-saturated model then we can, with little work, derive the Characterization 
and Definability theorems. This observation stresses the important relationship of cj-saturated 
models and the right simulation notion for a given logic. 

When we defined the notion of adequate pair in Definition 4.1.1 we explained the strength 
of the Hennessy-Milner requirement. One would expect that a true generalization of the 
Characterization and Definability theorem doesn't require the proof of a lemma. Instead, it 
should give a series of easily checkable properties that a logic should satisfy. 

In sake of trying to give a result that could handle a broad spectrum of simulation notions 
we faced a big problem: we had no information regarding the structural properties of a 
simulation. In the applications chapter we saw that this information was essential to prove 
that cj-saturated models had the Hennesy-Milner property. 

We think that an important line of work lies in the effort of trying to prove the Hennessy- 
Milner property without much information about the simulation notion. In future work we 
plan to integrate the results of this thesis with an approach similar to the one presented 
in [AGIO], where coinductive model semantics are given. 

Recall that in the beginning of Chapter 3 we presented two equivalent definitions of the 
'Basic Temporal Logic'. The classical one had custom made modalities F and P and the 
alternative view considered them as normal diamonds over a restricted class of models. The 
work done by Areces and Gorm in [AGIO] generalizes this idea for (almost) any modality 
which can be defined with the pattern of the diamond operator (V3). 

From our perspective, the most important point of their work is that, by restricting the 
class of models, we get a unique notion of model equivalence for every logic that fits in their 
framework. The right simulation notion turns to be the same as BML's bisimulation. 

As far as we know, to the moment, there was no direct way to prove Characterization 
and Definability results using the framework developed in [AGIO]. The problem laid in the 
restriction applied to the class of models, there is no classical proof which takes this kind of 
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6. Conclusions and further work 



restrictions into account. With the results developed in this thesis it should be easy to prove 
a more general result using their framework. 

Good as it is, the framework developed in [AGIO] has its limits. Not every modality 
can be expressed with the pattern of a diamond. For example, there exists an extension of 
basic temporal logic which adds the Since and Until operators [BvBW06]. This operators 
don't respect the pattern of the definition of a normal diamond and therefore don't fit in the 
framework. 

We think that one of the most exciting ways to continue this work is to try to expand the 
framework developed by Areces and Gorm to support more types of operators. This would 
allow us to give a 'canonical' simulation notion for a broader set of logics and therefore be 
able to prove the Hennessy-Milner property for them. 

This line of work definitely looks as a promising path to give an automatic derivation of 
the Characterization and Definability theorems for a greater set of modal logics. 



APPENDIX A: AUXILIARY RESULTS 



Theorem A.l (First order compactness relative to a class of models). Let C be a class of 
first-order models which is closed under ultraproducts and let S be a set of first order formulas. 
If every finite set A C S has a model in C then there is a model in C for S. 

Proof. Let Ai{ be a model for each finite subset A^CE, algebraic proofs of the compactness 
theorem [Kei08, Theorem 4.3] show that the ultraproduct of the models M = Yljj M{ satisfies 
M h S. 1 As each M{ is in C and C is closed under ultraproducts we conclude that M. E 
C. □ 

Theorem A. 2 (First order definability relative to a class of models). Let C be a class of 
first-order models which is closed under ultraproducts and let K C C. 

(i) K is a C-elementary class (noted C-ECa) if and only if K is closed under ultraproducts, 
K is C-closed under potential isomorphisms and K D C is closed under ultrapowers. 

(ii) K is a basic C-elementary class (noted C-EC) if and only if both K and K D C are closed 
under ultraproducts and C-closed under potential isomorphisms. 

Proof. Left to right directions are left to the reader. Let's prove right-to-left directions. 

(i) Let C be a class of first-order models which is closed under ultraproducts, let K C C be 
such that K is closed under ultraproducts, K is C-closed under potential isomorphisms 
and K D C is closed under ultrapowers. 

Let r = {ip : |=k we show that Y defines K. For the easy part, take a model E K. 
By definition of T we have that 

For the hard part, let E C be such that \=T. Define the first order theory of 
the model Ad? as 

S = {(p : cp is a sentence and A4^ \= (p}. 

Let's see that there is a model for S which lays in K. Suppose not, by Theorem A.l 
there is a finite subset So = {01, . . . , a n } of S which is unsatisflable in K. Hence, 
Hk _i (0"i A • • • A a n ) which means that -1(01 A • • • A a n ) E T. As \= T we arrive to an 
absurd. We have proved that there exists J\ff E K such that J\ff \= S. 

By [CK90, Theorem 6.1.15], =$ J\ff if and only if there exist ultrapowers Ml 
and such that A4 Because K is closed under ultraproducts, in particular 

it is closed under ultrapowers, therefore, E K. As both classes are closed under 
ultrapowers, and Ml belong to the same class. Last but not least, as K is C-closed 
under potential isomorphisms and Ml = J\f( then Adl E K. Finally we conclude that 
M f E K. 

1 With a suitable ultrafilter U. 



53 



54 



Appendix 



(ii) Let C be a class of first-order models which is closed under ultraproducts, let K C C be 
such that both K and K D C are closed under ultraproducts and C-closed under potential 
isomorphisms. 

By (i) we know there exist two sets T, T c respectively defining K and KnC. Observe that 
the union rur c is not satisflable in C. By Theorem A.l there exists a finite subset So C 
T U T c which is unsatisflable in C. Call So = . . . , a n , /3i, . . . , f3 m } with ai E V and 
/3j E r c . As is unsatisflable in C this means that a i A • • • A a n —> A • • • A f3 m ). 
Let's see that it is exactly tp = ol\ A • • • A a n that defines K. 

Let M f E C. If M f E K then trivially M f \= (p. Suppose M f \= (p then M f ty= 
Pi A • • • A (3 m therefore M f ^ T c hence M f £ K n C. We conclude that M f E K. □ 

Theorem A. 3. Let (£, K) be an adequate pair and let Mi, M2 C MODS(£) be two classes 
such that T(Mi) and T(M2) are closed under ultrapowers. Let AA E Mi and Af E M2 be two 
£-models such that for some w E |A4|, v E |A/] they satisfy A/", u E£ A^w then there exist 
models M* E Mi and A/** E M 2 and elements w* E \M% v* E |A/**| such that 

1. T(M,w) = d T(M*,w*) andT(A/» =^T(AA*,i;*) 
Their translations are pairwise elementary equivalent. 

2. A^,w =£ and AA, v =£ AA*,i;* 
They are pairwise equivalent. 

3. tf*,v* =k.M*,w* 

There is a simulation from Af*, i;* to M*,w*. 

Proof. We define some names for the models which we will be working on before starting with 
the proof. Call Mf,g w — T{M,w) and Aff,g v — T(A/*, v). Take Ad^Af^ to be cj-saturated 
ultrapowers of A4f and A// (their exist ance is proved in Theorem B.7). As the classes are 
closed under ultrapowers the saturated models are in the same class as their originators. 

By [CK90, Corollary 4.1.13] we have an elementary embedding d : \Mf \ — >> |. Let g+ 
be an assignment for A4^ such that g^(x) = d(g w (x)). Take the modal preimage of Ad^g^ 

and call it A^*,w* = T 1 (A4^f,g^). We make the same process and assign similar names to 
models and points deriving from A/". 

1. As a corollary of [CK90, Corollary 4.1.13], as there is an elementary embedding, we 
have that Mf,g w M^,g+- The same proof works with A/} and Afj~. 

2. Following the last point, we can conclude, through the translations' truth-preservation, 
that M,w =£ M*,w*. The same proof works with Af,v and Af*,v*. Corollary: 
Af*,v* E £ M*,w*. 

3. As both A4^ and Afj~ are cj-saturated, by definition of adequate pair, that implies 
that they have the Hennesy-Milner property. Therefore, because we've just proved that 
AA*, v* E£ A4*, w* we can conclude that A/"*, v* =±£ A4*, w*. □ 



APPENDIX B: FILTERS AND ULTRAPRODUCTS 



The ultraproduct construction is a uniform method of building models of first order theories 
which has applications in many areas of mathematics. It is attractive because it is algebraic 
in nature, but preserves all properties expressible in first order logic. In this section we will 
make a brief summary of the tools presented in [Kei08] with some additional notes that may 
guide the reader. Unless explicitly stated the proofs can be checked in the publication that 
we've just mentioned. 

Definition B.l (Filter, proper filter, ultrafilter). Let / be a non-empty set. 
A filter U over / is a set of subsets of / such that: 

(i) I € U. 

(ii) U is closed under supersets; if X E U and X CY then Y E U. 

(iii) U is closed under finite intersections; if X E U and Y E U then X fl Y E U. 

A proper filter over I is a filter U over / such that: 

(iv) Vj£U. 

An ultrafilter over / is a proper filter U over / such that: 

(v) For each X C I exactly one of X, I\X belongs to U. 

Theorem B.2 (Ultrafilter Theorem, Tarski). Every proper filter over the set / can be ex- 
tended to an ultrafilter over /. 

We first define the ultraproduct operation on sets. Let U be an ultrafilter over /, and for 
each i E I let A{ be a non-empty set. The ultraproduct Yljj A{ is obtained by first taking the 
cartesian product C = Y\ ie jAi. Observe that C is the set of all functions / such that for 
each i E /, f(i) E A{. We continue by identifying elements which are equal for ^/-almost all 
i E /. The formal definition is as follows. 

Definition B.3 (^/-equivalence). Let U be an ultrafilter over /. Two elements /, g of the 
cartesian product Yl ieI A\ are said to be U- equivalent, noted / —jj g, if the set {i : f(i) = g(i)} 
belongs to U. The (7-equi valence class of / is the set fjj = {g : / =jj g}. 

Definition B.4 (Ultraproduct of sets). Let U be an ultrafilter over /, the ultraproduct of 
sets Yljj A{ is defined as the set of ^/-equivalence classes 

\{A l = {f u :feJ{A i }. 

u iei 

An ultrapower of sets of A modulo U is defined as the ultraproduct Yljj A = Yl u A\ where 
Ai — A for each i E /. The natural or cannonical embedding is the mapping d : A —> Yljj A{ 
such that d(a) is the (/-equivalence class of the constant function with value a. That is 
d(a) — {Xx.a)jj. 
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We now introduce the ultraproduct operation on first order structures. For each i G /, let 
Ai{ be a first order model with universe set A{. Briefly, the ultraproduct of models Ylu M.{ 
is the unique first order model with universe Ylu A{ such that each basic formula holds in the 
ultraproduct if and only if it holds in Yljj Ad{ for U- almost all i. Here is the formal definition. 

Definition B.5 (Ultraproduct of models). Let U be an ultraflrter over /, and let Ad{ be a 
familiy of /^-structures with universe set A{. The ultraproduct of models Ylu Ai{ is the unique 
model such that: 2 

(i) The universe of M f is M = Uu A i- 

(ii) For each atomic formula (f(xi, . . . , xj~) which has at most one symbol from the vocabulary 
C, and each f u . . . , f k € Uiei A ^ 

M f h <p(fw, fw) iff {* : M{ \= <p(fi(i), /*(*))} € U. 

Using the properties of ultrafllters one can check that such structure is unique and thus 
well-defined. Similarly, the ultrapower of models of the model modulo U is defined as the 
ultraproduct ^ = Ylu M{ where M{ = for each i e I. 

Finally we present the theorem of Los which makes ultraproducts useful in model theory. 
It shows that each formula holds in the ultraproduct if and only if it holds in Yljj Ad{ for 
U- almost all i. Observe that in this case there is no restriction to basic formulas as before in 
Definition B.5. 

Theorem B.6 (Fundamental theorem of Ultraproducts, Los). Let U be an ultraflrter over /, 
and let Ad{ be a family of /^-structures for each i E I. For each formula ip(xi, . . . , and 
each f u . . . , f k e Uiei A ^ we have 

J] M{ h <p(fw, • • • , fw) iff {i : M{ h ^(/i(<), • • • , fk(i))} e U. 
u 

Corollary B.l. For each set of first-order sentences T, and family of models Ai{ . If Ai{ \= T 
for all i E I then M{ |= T. 

Corollary B.2 ([BdRVOl, Corollary A.21]). Let Ylu M f be an ultrapower of M f , the diago- 
nal mapping d(a) = {Xx.a)jj is an elementary embedding. That is, for any first order formula 
(p(xi, ...,x k ) and ai, . . . , a k e M f 

M f \= (p(ai, . . . ,a k ) if and only if ]^[ M f \= (p(d(ai), . . .,d(a k )). 

u 

Using this results we can state an important theorem, the existence of elementary equiv- 
alent cj-saturated ultrapowers. 

Theorem B.7. Let $ be countable and be an $ model then there exists an cj-saturated 
ultrapower Ylu such that Ylu . 

Proof Follows from a direct combination of [Kei08, Theorem 5.6] and Corollary B.2. □ 

2 The definition found in [Kei08] has a mistake in point (ii). The subscript of A is missing in the set definition 
after the 'iff', it should be Ai. 
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